Problem
The JavaScript token-capture logic in `index.html` has two issues:
1. Weak URL domain matching (lines 156, 190)
```javascript
if (url && url.includes('apple-cloudkit.com')) {
```
`.includes()` is a substring check — it matches attacker-controlled URLs like `http://evil.com/?q=apple-cloudkit.com\`. Should use proper URL parsing and validate the hostname ends with `.apple-cloudkit.com`.
Fix:
```javascript
function isCloudKitUrl(url) {
try {
return new URL(url).hostname.endsWith('.apple-cloudkit.com');
} catch { return false; }
}
```
2. Token not being captured reliably
The reviewer noted "this isn't working" — the network interception via `fetch` / XHR override may not capture the web auth token reliably. Needs investigation into whether the `ckSession` cookie or a direct DOM event is a more reliable capture mechanism.
File
`Examples/MistDemo/Sources/MistDemo/Resources/index.html`
Problem
The JavaScript token-capture logic in `index.html` has two issues:
1. Weak URL domain matching (lines 156, 190)
```javascript
if (url && url.includes('apple-cloudkit.com')) {
```
`.includes()` is a substring check — it matches attacker-controlled URLs like `http://evil.com/?q=apple-cloudkit.com\`. Should use proper URL parsing and validate the hostname ends with `.apple-cloudkit.com`.
Fix:
```javascript
function isCloudKitUrl(url) {
try {
return new URL(url).hostname.endsWith('.apple-cloudkit.com');
} catch { return false; }
}
```
2. Token not being captured reliably
The reviewer noted "this isn't working" — the network interception via `fetch` / XHR override may not capture the web auth token reliably. Needs investigation into whether the `ckSession` cookie or a direct DOM event is a more reliable capture mechanism.
File
`Examples/MistDemo/Sources/MistDemo/Resources/index.html`