fix(error-pages): use a stable baseUrl instead of null in loadDataWithBaseURL#329
Open
jim-daf wants to merge 1 commit into
Open
fix(error-pages): use a stable baseUrl instead of null in loadDataWithBaseURL#329jim-daf wants to merge 1 commit into
jim-daf wants to merge 1 commit into
Conversation
…hBaseURL The error / HTTPS-failure / site-blocked / malware-warning pages in SmartCookieKT were fed to the WebView with null as the baseUrl. With JavaScript enabled (the inline <script> defines reload()), a null baseUrl makes the page run with about:blank as its effective origin, which means any future change that inlines untrusted content (network error text from another stack, page title from the previous URL, etc.) into the same template would XSS the WebView unrestricted. Today all three interpolated values come from string resources or fixed error codes, so this is defense-in-depth rather than a fix for a known exploit, but the swap to a stable https://...local baseUrl is one line per call site.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #328.
SmartCookieKT.ktbuilds five error interstitial pages (HTTPS-not-supported, onReceivedError, malware warning, site-blocked-by-list x2) and passesnullas the baseUrl toloadDataWithBaseURL, with JavaScript turned on for the inline reload() helper.nullmakes the page run withabout:blankas its effective origin.Today every interpolated value (
title,error,reload) comes from string resources or fixed error codes, so there is no known XSS sink here. The change is defense in depth: if anyone later inlines a network-error string, a previous-page title, or a piece of the failing URL into the same template, a stable baseUrl keeps the page out of the `about:blank` origin and avoids a same-origin escape on top of the WebView.Change
Swap
nullfor"https://smartcookieweb-error.local"(a host that never resolves but gives the WebView a stable origin) in all fiveloadDataWithBaseURLcalls in the file. Rendered output is unchanged.