-
Notifications
You must be signed in to change notification settings - Fork 893
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect gateway-like urls to ipfs:// #15204
Conversation
0434c69
to
a160422
Compare
std::vector<std::string> host_parts = base::SplitStringUsingSubstr( | ||
url.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); | ||
|
||
if (host_parts.size() > 2 && IsValidCID(host_parts.at(0)) && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
having an example of what original url transforms to which final url would be handy
I'd suggest to ask someone from the sec team to look at the parsing code |
Opened sec review https://github.com/brave/security/issues/1063 |
@@ -104,25 +109,19 @@ int OnHeadersReceived_IPFSRedirectWork( | |||
if (ctx->ipfs_auto_fallback && !api_gateway && response_headers && | |||
response_headers->GetNormalizedHeader("x-ipfs-path", &ipfs_path) && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does ipfs_path
still get used anywhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is used as the marker in this case, content isn't used
/build linux |
/build macos |
Resolves brave/brave-browser#21454 Urls in format of https://bafy.ipfs.gateway.io or https://gateway.io/ipfs/bafy are now redirected to ipfs:// scheme if x-ipfs-path header is received
@@ -94,6 +95,13 @@ int OnHeadersReceived_IPFSRedirectWork( | |||
std::shared_ptr<brave::BraveRequestInfo> ctx) { | |||
if (!ctx->browser_context) | |||
return net::OK; | |||
|
|||
// Auto-redirect gateway-like urls is enabled only for top-level frames | |||
// To avoid mixed content corner cases. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/To/to
|
||
if (host_parts.size() > 2 && IsValidCID(host_parts.at(0)) && | ||
host_parts.at(1) == "ipfs") { | ||
GURL final_url = GURL("ipfs://" + host_parts.at(0) + url.path()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you're redirecting http/https to an ipfs url? I don't think that is the correct way to handle this, you should be using url rewriting to display ipfs as the virtual url
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the reverse of what we do when someone enters ipfs://
in the urlbar
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are checking the response header at the moment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so this redirects any gateway url? I don't think we should be doing that. If I explicitly enter an ipfs url that uses a different gateway than what I have configured, it should not redirect to my configured gateway. I thought this was only to display ipfs for any urls that matched the configured gateway which can be done with the rewriter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so this redirects any gateway url? I don't think we should be doing that. If I explicitly enter an ipfs url that uses a different gateway than what I have configured, it should not redirect to my configured gateway. I thought this was only to display ipfs for any urls that matched the configured gateway which can be done with the rewriter.
Nope, this is about reusing configured gateway to load IPFS resources.
Automatically uses the configured gateway for IPFS resolutions when an IPFS gateway resource is encountered.
As for the manual url input i'll discuss it, maybe this should be exclusion.
Resolves brave/brave-browser#21454 Urls in format of https://bafy.ipfs.gateway.io or https://gateway.io/ipfs/bafy are now redirected to ipfs:// scheme if x-ipfs-path header is received
Sec review https://github.com/brave/security/issues/1063
Resolves
Submitter Checklist:
QA/Yes
orQA/No
;release-notes/include
orrelease-notes/exclude
;OS/...
) to the associated issuenpm run test -- brave_browser_tests
,npm run test -- brave_unit_tests
,npm run lint
,npm run gn_check
,npm run tslint
git rebase master
(if needed)Reviewer Checklist:
gn
After-merge Checklist:
changes has landed on
Test Plan:
"Redirect IPFS resources to the configured IPFS gateway" setting should open ipfs:// urls and, so, should work with IPFS resolve method "ASK"