Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privileged window.ipfs API access for WebUI #514

Closed
7 of 9 tasks
lidel opened this issue Jul 3, 2018 · 2 comments
Closed
7 of 9 tasks

Privileged window.ipfs API access for WebUI #514

lidel opened this issue Jul 3, 2018 · 2 comments
Labels
area/window-ipfs Issues related to IPFS API exposed on every page kind/enhancement A net-new feature or improvement to an existing feature kind/maintenance Work required to avoid breaking changes or harm to project's status quo P1 High: Likely tackled by core team if no one steps up status/in-progress In progress topic/security Work related to security

Comments

@lidel
Copy link
Member

lidel commented Jul 3, 2018

Background

We need a way to expose full API without any sandboxing or ACL controls for use in safe pages bundled with extension itself (eg. we plan to do that with new WebUI).
Below is the battle plan and work done so far.

cc @olizilla

Tasks

Prerequisites

  • Secure window.ipfs first (remove access to sensitive namespaces)
  • Add PoC window.ipfs support to WebUI
    • ✔️ done, but more and more pages fail as they require access to ipfs.config.get and other sensitive spaces
  • Provide a way of using window.ipfs without sandboxing (full MFS, r/w config etc)

Research

  • Research if we can access window.ipfs in moz-extension:// contexts
    • ❎ the usual route won't work: regular context scripts are not injected into moz-extension:// URLs, even if <all_urls> is used (most likely a security feature to block extensions from snooping in internals of other extensions).
    • ✔️ ... however if we ship WebUI as a page under moz-extension://<companion>/webui/index.html, it will be running in browser extension context. This means it will see browser.* namespace, enabling it to detect browser.extension.getBackgroundPage() just like regular websites detect window.ipfs. This way the IPFS API Client used by extension itself can be obtained via WebExtension API directly.

Implementation

  • Make WebUI into an embeddeddable NPM package
  • Add WebUI as a dependency to IPFS Companion
  • Implement feature detection (getBackgroundPage) in WebUI
  • Think about disabling window.ipfs in WebUI
    • Not used anyway: a non-privileged version of IPFS API is not enough for what WebUI wants to provide
    • It makes development harder (requires suspending IPFS Companion)
  • What about IPFS Desktop? The plan was for it to use window.ipfs
    • Actually, there is more freedom in Electron context. We can just create a real HTTP API Client and use it the same way API accessed via getBackgroundPage is in browser extension.

rube_goldberg s_ self-operating_napkin _ cropped
Professor Butts and the Privileged API Access for WebUI (1931)

@lidel lidel added kind/enhancement A net-new feature or improvement to an existing feature topic/security Work related to security kind/maintenance Work required to avoid breaking changes or harm to project's status quo P1 High: Likely tackled by core team if no one steps up area/window-ipfs Issues related to IPFS API exposed on every page labels Jul 3, 2018
@lidel lidel added this to the 2018-Q3 milestone Jul 7, 2018
@lidel
Copy link
Member Author

lidel commented Jul 24, 2018

Note to self: support for this should land in https://github.com/ipfs-shipyard/ipfs-redux-bundle https://github.com/ipfs-shipyard/ipfs-provider

(detect browser.* namespace, get ipfs via browser.extension.getBackgroundPage())

@lidel lidel modified the milestones: 2018-Q3, 2018-Q4, window.ipfs 2.0 Sep 20, 2018
@lidel lidel added status/ready Ready to be worked status/in-progress In progress and removed status/ready Ready to be worked labels Sep 22, 2018
@lidel lidel changed the title Privileged API access for WebUI Privileged window.ipfs API access for WebUI Nov 27, 2019
@lidel
Copy link
Member Author

lidel commented Oct 19, 2020

Closing due to #589 (comment)
Access to IPFS node is guarded by CORS, relevant explainer and error recovery landed in ipfs-webui a while ago.

@lidel lidel closed this as completed Oct 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/window-ipfs Issues related to IPFS API exposed on every page kind/enhancement A net-new feature or improvement to an existing feature kind/maintenance Work required to avoid breaking changes or harm to project's status quo P1 High: Likely tackled by core team if no one steps up status/in-progress In progress topic/security Work related to security
Projects
None yet
Development

No branches or pull requests

1 participant