Skip to content

/ webtorrent

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix http server XSS #1714

Merged
merged 3 commits into from Aug 27, 2019
+48 −10
Merged

Fix http server XSS #1714

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
22546df
Fix http server XSS
feross Aug 27, 2019
cdf1159
Set security headers on /favicon.ico responses
feross Aug 27, 2019
9029557
Address @diracdeltas feedback on #1714
feross Aug 27, 2019
File filter...
Filter file types
Clear filters
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

Prev Next
Loading status checks…

Set security headers on /favicon.ico responses

  • Loading branch information
@feross
feross committed Aug 27, 2019
commit cdf1159cc0227b1f85c4a52263cbd33bc4ed5242
8 lib/server.js
View file
Open in desktop
@@ -79,10 +79,6 @@ function Server (torrent, opts = {}) {

const pathname = new URL(req.url, 'http://example.com').pathname

if (pathname === '/favicon.ico') {
return serve404Page()
}

// Allow cross-origin requests (CORS)
if (isOriginAllowed(req)) {
res.setHeader('Access-Control-Allow-Origin', req.headers.origin)
@@ -94,6 +90,10 @@ function Server (torrent, opts = {}) {
// Defense-in-depth: Set a strict Content Security Policy to mitigate XSS
res.setHeader('Content-Security-Policy', "base-uri 'none'; default-src 'none'; frame-ancestors 'none'; object-src 'none';")
This conversation was marked as resolved by feross

This comment has been minimized.

Sign in to view
Copy link
@diracdeltas

diracdeltas Aug 27, 2019

Contributor

this is super minor but you could also set https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action to none if you wanted to lock it down more

This comment has been minimized.

Sign in to view
Copy link
@diracdeltas

diracdeltas Aug 27, 2019

Contributor

object-src none isn't necessary because it's covered by default-src https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src

This comment has been minimized.

Sign in to view
Copy link
@feross

feross Aug 27, 2019

Author Member

Thanks, resolved!

if (pathname === '/favicon.ico') {
return serve404Page()
}

// Allow CORS requests to specify arbitrary headers, e.g. 'Range',
// by responding to the OPTIONS preflight request with the specified
// origin and requested headers.
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.