Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject non-http URLs for url member #174

Merged
merged 6 commits into from
Sep 21, 2020
Merged

Reject non-http URLs for url member #174

Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c2c7f20
Reject non-http URLs for url member
marcoscaceres Aug 27, 2020
440cb31
Add security consideration
marcoscaceres Aug 27, 2020
26b3bea
Update index.html
Sep 11, 2020
9d4cc00
Merge branch 'master' into URL_mitigations
Sep 16, 2020
78191dd
Update based on Martin's updated wording
marcoscaceres Sep 16, 2020
65c1153
Disable linking to Wylecial article
marcoscaceres Sep 21, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,14 @@
browsers: ["chrome", "firefox", "safari", "edge", "and_chr", "and_ff", "ios_saf"],
},
xref: "web-platform",
localBiblio: {
"Wylecial": {
"date": "2020-08-25",
"title": "Stealing local files using Safari Web Share API",
"Author": "Pawel Wylecial",
"href": "https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html"
}
}
};
</script>
</head>
Expand Down Expand Up @@ -177,6 +185,9 @@ <h4>
<li>If |url| is failure, return <a>a promise rejected with</a>
{{TypeError}}.
</li>
<li>If |url|'s [=URL/scheme=] is not "http" or "https", return
<a>a promise rejected with</a> {{TypeError}}.
</li>
<li>Set |data| to a copy of |data|, with its {{ShareData/url}}
member set to the result of running the <a>URL serializer</a>
on |url|.
Expand Down Expand Up @@ -465,6 +476,21 @@ <h2>
guard against this, but implementors will want to be aware that it is a
possibility.
</li>
<li>Earlier iterations of this API allowed sharing URLs of any scheme
type via {{ShareData}}'s {{ShareData/url}} member. This was shown to be
a <a data-cite="Wylecial#">security vulnerability</a> and the
{{ShareData/url}} member was restricted to only accepting the "http:"
and "https:" URL schemes. However, this mitigation is insufficient to
fully protect applications or operating systems that accept URLs as
part of a share (i.e, "share targets"). Share targets need to be
marcoscaceres marked this conversation as resolved.
Show resolved Hide resolved
careful when dereferencing shared URLs for the purposes of, for
example, generating user-friendly previews: The risk is that share
targets could retrieve content from the URL, and that they might follow
redirects (or be subject to DNS tweaking) in order to exploit their
position in the network to access information that might otherwise be
protected by firewalls and similar. If the application also passes on
that information, that leads to an unexpected information leakage.
marcoscaceres marked this conversation as resolved.
Show resolved Hide resolved
</li>
</ul>
</section>
<section class="appendix informative">
Expand Down