Return User Signature as a URL Fragment Instead of Query Parameter
zavodil opened this issue · 5 comments
When invoking the signMessage function in Bitte Wallet, the user's signature is currently being returned in the URL as a query parameter. For example:
http://callbackUrl?signature=<signature>
Returning sensitive information like a user's signature in the URL query parameters introduces security concerns:
- Logging Risks: Query parameters are often logged by web servers, proxies, and even browsers, which could inadvertently expose sensitive information.
- History Storage: URLs with query parameters can be stored in the browser's history, further increasing the risk of unintentional leakage.
Proposed Solution:
To mitigate these risks, it would be more secure to return the signature as a URL fragment (hash). For example:
http://callbackUrl#signature=<signature>
This has been addressed on the wallet.
Yes, signing the message with the existing account is working fine now.
Could you please check the following scenario:
- Logout in the Bitte wallet
- Go to demo.fastnear.ai -> Sign in -> Bitte
- Create a new account and sign
In my case, the browser showed an error "Application error: a client-side exception has occurred (see the browser console for more information).", and the URL changed to this: https://wallet.bitte.ai/account/new?auth_url=https://wallet.bitte.ai/sign-message?message=Are+you+ready+to+accelerate%3F&nonce=MDAwMDAwMDAwMDAwMDAwMDAwMDE3MjY2ODEzMDQ4NDM%3D&recipient=ai.near&callbackUrl=https%3A%2F%2Fdemo.fastnear.ai
will take a look @zavodil
should be fixed @zavodil . thanks for reporting this issue
@sainthiago yes, thank you, it works great!