-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot access window.location #126
Comments
I'm not sure how this would work. In the browser you can derive |
I was thinking you could either:
|
For a little background on why this is important in my case, this ember app is publicly accessible and runs across multiple subdomains. Customers can choose a subdomain and the API server uses that as an account key to know what data to return. Since it is one app running multiple accounts, I can't just set that in the environment. |
@paulelliott We've tried to avoid recreating a synthetic browser environment (à la mimicking |
That fastboot service already has If that is the direction then I would suggest just adding Otherwise I would nest a third object alongside What do you think of one of these contracts?
|
@paulelliott In #128, @danmcclain has exposed a One thing I'm nervous about are the security implications of this. Here's why: In the browser, you are de facto running on an untrusted, remote client. Because you have designed for a 100% untrusted environment, the user forging things like URLs doesn't matter. For example, if you're using But with FastBoot, you now have a server that potentially has more privileges and may be running behind a firewall. If the client sends a forged Here's another scenario: you use the hostname the user is accessing to determine what API server to hit to get sensitive account details. So something like: return fetch(`{hostname}/users/1234.json`); However, an attacker wants to maliciously retrieve the account credentials for another account. If the attacker sends a Assuming the FastBoot server is authorized to access data from multiple accounts, we have now introduced a vulnerability into the system. So here are some things to think about:
For example, perhaps we only enable this property is the user specifies one or more regular expressions to whitelist certain hosts. This way the user could say something to effect of: "only set |
@tomdale: Won't the malicious party need access to a specific user's credentials (be it via a stolen cookie, stolen access token) before they can use a forged header to access protected resources? The browser will not allow you to forge host headers, so a CSRF will not allow the third party to use a forged header. If a third party gained access to a token or cookie, it's game over anyway in terms of security |
@danmcclain That's true, but I can imagine a world-readable database behind the firewall. For example, consider a Redis server where the hostname is used to generate a query, for some reason. I'm not saying it's a good idea, but someone will almost surely do this in practice. |
I'm not sure this is something we need to worry about. The API server should be handling authentication and resource scoping regardless of where the requests originate from. |
Resolved by #136 |
Make sure the same sandbox APIs are used during reloads
Migrate to GitHub Actions.
I need to inspect the current subdomain and get the full URL for use with Open Graph tags but
window.location
is not available when running in fastboot.The text was updated successfully, but these errors were encountered: