New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mask referrer field when creating OEMBED attachments #3860
Comments
@Sing-Li Was it a request from Radically Open Security? Or it was just an idea? |
@MartinSchoeler Why does it matter? It is an idea from Radically Open Security, our security consultancy partner. |
@Sing-Li, we just wanted to check the priority... If this was a production problem already or a nice-to-have. |
@engelgabriel @Sing-Li I think we have a severe security issue here. This is how it looks on the server who hosts the attachement when someone clicks on an attachement.
So as you can see, at least the username and the channel name is leaked. Maybe the rocketchat server itself could act as proxy? thanks and cheers |
Hi, we have the same problem. Will this be fixed anytime soon? |
We're decided to go with the "act as a proxy", solution. |
There are some security sensitive applications where the REFERRER field of the request issued by our OEMBED outreach can be used to identify the source absolutely (and becomes a security risk).
Allow a redirector (or some sort of proxy) to be specified in order to mask the REFERRER field of the outreach request.
The text was updated successfully, but these errors were encountered: