-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: allow requests from electron renderer #201
Conversation
The Electron Renderer process runs in an embedded browser window so has access to browser-native `fetch`. If this is used by `ipfs-http-client` to make requests against the HTTP API, the `User-Agent` header is set to a value that looks similar to a browser but no `Origin` or `Referer` headers are sent. The change here is to relax the user agent check to allow through requests from clients with `'Electron'` in their user agents.
@aschmahmann does this PR need anything else or can it go in? |
Nope, this seems fine. Am I putting this in the next RC? |
Yes please! |
(cc @rafaelramalho19 @Gozala for visibility and double check of my assumptions) Hm.. IIUC this PR moves security perimeter a bit and requires more care from other Electron app developers. Namely, introduces a need to ensure there is no loading and executing third-party JS into renderer process. With this change, in theory, if someone builds/embeds web browser functionality with Electron (https://beakerbrowser.com/ 🙃 ) and user loads a third party page into renderer process on a machine which also happen to have IPFS node running on default ports, this third-party page would have full access to the go-ipfs API, even if the author of Electron app did not intent that to happen. FYI in ipfs-desktop we use ipfs-http-client outside of a renderer process, and we are able to manually set @achingbrain Perhaps instead of removing Origin protection, ipfs-http-client should detect its running in renderer process of Electron and throw an error with link to docs/example how to set proper Origin via |
Thanks @lidel. I guess I merged this prematurely. I also noticed playing around with Electron (although it might be that I was doing it wrong) that the origin is |
While it does expand margin of error, I am not sure trying to guard against such mistakes is worth it. If electron app is executing third party JS in renderrer process without sandboxing it (e.g. to some origin and no node APIs) that script can access pretty much any node API (including HTTP), disk access etc.. That said I think @lidel is bringing up a really good point, maybe instead of aiming to just have HTTP client work in electron renderrer process we should think through how do we want http-client to be used in Electron and create a guided solution for it (which maybe a documentation, some helper lib or both). |
<iframe src='https://evil.com/nasty.html'></iframe>
--
"origin": "https://evil.com"
<iframe sandbox='allow-scripts' src='https://evil.com/nasty.html'></iframe>
--
"origin": "null"
<iframe sandbox='allow-scripts allow-same-origin' src='https://evil.com/nasty.html'></iframe>
--
"origin": "https://evil.com"
No referer header is sent in 1-3. So with this patch an attack is possible if a node has been configured to allow API requests from an origin that an attacker can serve content from (spinning up a web server on the node itself for example) and the loaded code either replaces the renderer window or is in an unsandboxed iframe or one with permissive sandbox settings. Essentially these sort of attacks can be mitigated by following existing Electron/Browser security best practices. |
Something else to consider is that since without this patch any requests made by |
@Gozala and @achingbrain are right (thanks for the detailed analysis!), Electron is a hacky environment where footguns are plenty, and we should not judge this runtime with the same mindset as regular browser context. Key insight: realistically speaking, without this patch developers would not introduce Origin override in Hate to say it, but.. sounds like it will be less harmful if we keep this PR in. |
Cool, sounds like we're leaving this in. Thanks everyone for putting in the time to look into this, I'll do a release + bubble into go-ipfs later today. |
The Electron Renderer process runs in an embedded browser window so has access to browser-native
fetch
. If this is used byipfs-http-client
to make requests against the HTTP API, theUser-Agent
header is set to a value that looks similar to a browser but noOrigin
orReferer
headers are sent and they can't be overridden.The change here is to relax the user agent check to allow through requests from clients with
'Electron'
in their user agents.