From 458bf343592693abd54bc57990da5b69b8ac0932 Mon Sep 17 00:00:00 2001
From: Marcin Rataj <lidel@lidel.org>
Date: Mon, 12 Nov 2018 16:50:20 +0100
Subject: [PATCH] fix: disable redirect for CID-in-subdomain (#617)

This is a fix of a regression for
https://github.com/ipfs-shipyard/ipfs-companion/pull/537
that was introduced when X-Ipfs-Path header support was added.

Until we are able to provide the same origin-based security guarantees
at a local gateway, we should not redirect resources that use
cid-in-subdomain deployment, as it is a strong hint they care about
Origin-based isolation and we should not relax those guarantees.
---
 add-on/src/lib/ipfs-request.js                            | 6 ++++++
 test/functional/lib/ipfs-request-gateway-redirect.test.js | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/add-on/src/lib/ipfs-request.js b/add-on/src/lib/ipfs-request.js
index b2d00c619..9306b36bb 100644
--- a/add-on/src/lib/ipfs-request.js
+++ b/add-on/src/lib/ipfs-request.js
@@ -306,6 +306,12 @@ function isSafeToRedirect (request, runtime) {
     return false
   }
 
+  // For now we do not redirect if cid-in-subdomain is used
+  // as it would break origin-based security perimeter
+  if (IsIpfs.subdomain(request.url)) {
+    return false
+  }
+
   // Ignore XHR requests for which redirect would fail due to CORS bug in Firefox
   // See: https://github.com/ipfs-shipyard/ipfs-companion/issues/436
   // TODO: revisit when upstream bug is addressed
diff --git a/test/functional/lib/ipfs-request-gateway-redirect.test.js b/test/functional/lib/ipfs-request-gateway-redirect.test.js
index c1e2c1325..eaf6d3cfc 100644
--- a/test/functional/lib/ipfs-request-gateway-redirect.test.js
+++ b/test/functional/lib/ipfs-request-gateway-redirect.test.js
@@ -268,11 +268,13 @@ describe('modifyRequest.onBeforeRequest:', function () {
         it('should be left untouched for IPFS', function () {
           state.redirect = true
           const request = url2request('http://bafybeigxjv2o4jse2lajbd5c7xxl5rluhyqg5yupln42252e5tcao7hbge.ipfs.dweb.link/')
+          request.responseHeaders = [{ name: 'X-Ipfs-Path', value: '/ipfs/QmPhnvn747LqwPYMJmQVorMaGbMSgA7mRRoyyZYz3DoZRQ' }]
           expectNoRedirect(modifyRequest, request)
         })
         it('should be left untouched for IPNS', function () {
           state.redirect = true
           const request = url2request('http://bafybeigxjv2o4jse2lajbd5c7xxl5rluhyqg5yupln42252e5tcao7hbge.ipns.dweb.link/')
+          request.responseHeaders = [{ name: 'X-Ipfs-Path', value: '/ipfs/QmPhnvn747LqwPYMJmQVorMaGbMSgA7mRRoyyZYz3DoZRQ' }]
           expectNoRedirect(modifyRequest, request)
         })
       })