Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Origin isolation warnings, tests and enforcement #30

Open
6 of 9 tasks
lidel opened this issue Feb 23, 2024 · 2 comments
Open
6 of 9 tasks

Origin isolation warnings, tests and enforcement #30

lidel opened this issue Feb 23, 2024 · 2 comments
Assignees
Labels
P1 High: Likely tackled by core team if no one steps up

Comments

@lidel
Copy link
Member

lidel commented Feb 23, 2024

Extracted from #20 (comment)

Needs

For inbrowser.link

The goal is to provide a subdomain gateway for loading websites in web browser.

Lack of isolation is a security bug. Subdomain mode MUST be enforced.

For General Availability

Good security is like water, if things are right, fishes should not even notice it.

For end users:

  • We need to protect end user from subdomain misconfigurations, and at least warn them when SW gateway is deployed without proper origin isolation.
    • SW code must be smart enough to do the right thing when deployed on third-party domains, without additional configuration.
    • No shortcuts, no hardcoding "subdomain hostnames". This has to be automated, and work with any third-party domain.

For gateway Operators:

  • Setup complexity should be limited to getting wildcard TLS certs.
    • Operators should know what to do/fix by just opening website via SW gateway and reading the same error as end user.

Initial design

Tasks

Before ETH Denver:

  • fix: dynamic subdomain gateway detection #53
  • do whatever quick and dirty MVP is needed to enforce origin isolation on inbrowser.link. we have subdomain setup, so we should detect being on path, confirm subdomain works, convert to subdomain, and redirect to that.

For general availability:

  • detect when on example.com/ip[nf]s and either redirect to working subdomain at *.ip[nf]s.example.com or produce error page which requires user to accept the risk before they to continue browsing in path gateway mode
    • figure out how do we cache/store result of isSubdomainIsolationSupported (should be executed only once)
    • figure out how to test for regression
    • figure out if a test exists that works on subdomains without CORS headers
      • try identity CID with 1x1 px png image? (image loads don't respect cors)
  • review language on error page, make it useful to both end user who wants to understand the risks and gateway operator who wants to set up subdomains correctly to fix problem for end users
  • create end-to-end regression test which confirms the protections work as expected
@SgtPooki
Copy link
Member

SgtPooki commented Feb 23, 2024

@lidel

SW code must be smart enough to do the right thing when deployed on third-party domains, without additional configuration.

FYI that helia-service-worker-gateway works if built with BASE_URL env var. no hardcoding required anymore. However, we could probably infer domain fairly easily if we reduce the flexibility of deployment domains (e.g. deploying on subdomain such as <subdomain>.<root>.<tld> instead of something like <root>.<tld>).

@lidel
Copy link
Member Author

lidel commented Feb 26, 2024

Yes, existence of BASE_URL means hostname needs to be hardcoded at build time, which means we can't have single trusted build which can then be deployed/cached on multiple gateways, people need to manually build to use it.

I've took a stab at removing this limitation in #53

lidel added a commit that referenced this issue Feb 28, 2024
lidel added a commit that referenced this issue Feb 28, 2024
SgtPooki added a commit that referenced this issue Feb 28, 2024
* fix: enforce origin isolation on subdomain gws

Towards #30

* chore: undo ts fixup

* refactor: apply suggestions from code review

Co-authored-by: Russell Dempsey <[email protected]>

* fix: config page redirect

* chore: empty out redirects

* chore: config page check supports hash routing

* chore: html title

* Revert "chore: empty out redirects"

This reverts commit 1a6d25c.

* Revert "fix: config page redirect"

This reverts commit 2fee3ce.

* fix: redirects file doesnt bork config requests

---------

Co-authored-by: Russell Dempsey <[email protected]>
@SgtPooki SgtPooki added this to the Prod: Initial release milestone Apr 8, 2024
@lidel lidel removed this from the Prod: Initial release milestone Dec 5, 2024
@SgtPooki SgtPooki added the P1 High: Likely tackled by core team if no one steps up label Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
P1 High: Likely tackled by core team if no one steps up
Projects
No open projects
Status: No status
Development

No branches or pull requests

2 participants