fix: limit SW registration to content root

Introduces hardening proposed in: ipfs#4025 (comment) License: MIT Signed-off-by: Marcin Rataj <lidel@lidel.org>
ralendor · Jun 8, 2020 · 535a836 · 535a836
1 parent 9680b26
commit 535a836
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/core/corehttp/gateway_handler.go b/core/corehttp/gateway_handler.go
@@ -185,6 +185,18 @@ func (i *gatewayHandler) getOrHeadHandler(w http.ResponseWriter, r *http.Request
 		}
 	}
 
+	// Service Worker registration request
+	if r.Header.Get("Service-Worker") == "script" {
+		// Disallow Service Worker registration on namespace roots
+		// https://github.com/ipfs/go-ipfs/issues/4025
+		matched, _ := regexp.MatchString(`^/ip[fn]s/[^/]+$`, r.URL.Path)
+		if matched {
+			err := fmt.Errorf("registration is not allowed for this scope")
+			webError(w, "navigator.serviceWorker", err, http.StatusBadRequest)
+			return
+		}
+	}
+
 	parsedPath := ipath.New(urlPath)
 	if err := parsedPath.IsValid(); err != nil {
 		webError(w, "invalid ipfs path", err, http.StatusBadRequest)