chore: tighten up REPL security #300
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
- don't allow top level navigations without user interaction (prevents stuff like an eager `window.load()`) - don't allow links to other pages to escape sandbox restrictions (as a result most links don't work) if you're visiting a hashed REPL (we can't remove malicious code from them since code is encoded into the URL)
dummdidumm
force-pushed
the
repl-security
branch
from
f6b733c to
4b85b14
Compare
| 'allow-modals', | ||
| can_escape ? 'allow-popups-to-escape-sandbox' : '', | ||
| relaxed ? 'allow-same-origin' : '' |
There was a problem hiding this comment.
same question
| 'allow-modals', | |
| can_escape ? 'allow-popups-to-escape-sandbox' : '', | |
| relaxed ? 'allow-same-origin' : '' | |
| 'allow-modals' |
There was a problem hiding this comment.
Without allow-popups-to-escape-sandbox, when you click on an outgoing link, you'll get a "browser has blocked the response" on the page that opens. It's an edge case for sure, but maybe there's playgrounds which showcase a certain aspect of their library and have a link with "you can read more about this here". Because it's potentially malicious it's only allowed on saved-to-db-REPLs which we could delete if the need arises.
Without allow-same-origin you can't access the parents localstorage,cookies, etc. With the headers being set due to the web container stuff, you also can't access the static images served from the parent domain (e.g. the Rick Roll wouldn't work anymore in the tutorial) - though that part could also be solved through #301. Currently this is only set for things that aren't user-content, i.e. the tutorial, because else this would be dangerous. I'm not sure why this was originally added (preceedes my time at Svelte)
Co-authored-by: Rich Harris <[email protected]>
window.load())