You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user sends a message containing a URL, Darkwire transforms the URL into an HTML anchor tag with an href link to the URL in question using the Autolinker module.
This creates two important security vulnerabilities.
Missing rel=noreferrer
When a user clicks on a link sent by another user in the same chat room, the request made by the browser to fetch the resource referenced by the URL will contain a Referrer header who's value will be the chatroom's full URL.
This creates an issue where any website administrator to which a Darkwire user browsed to can just look up the Darkwire chatroom URL in the Referrer header of his server logs.
Missing rel=noopener
Since anchor tags create by Autolinker contain a target=_blank attribute, users clicking on this link will be vulnerable to tab-jacking attacks.
* develop:
Updated travis for lastest distro and chromedriver. Update darkwire to v1.5.8
Adds rel=noreferrer and rel=noopener to autolinks (Fixes#46)
Fixes XSS attack through user renaming (#47)
Dockerfile strictly requiring njs 6.7
When a user sends a message containing a URL, Darkwire transforms the URL into an HTML anchor tag with an href link to the URL in question using the Autolinker module.
This creates two important security vulnerabilities.
When a user clicks on a link sent by another user in the same chat room, the request made by the browser to fetch the resource referenced by the URL will contain a
Referrerheader who's value will be the chatroom's full URL.This creates an issue where any website administrator to which a Darkwire user browsed to can just look up the Darkwire chatroom URL in the
Referrerheader of his server logs.Since anchor tags create by Autolinker contain a
target=_blankattribute, users clicking on this link will be vulnerable to tab-jacking attacks.More details can be found in this blog post: https://mathiasbynens.github.io/rel-noopener/
The text was updated successfully, but these errors were encountered: