Fix "Origin" isolation check
lidel opened this issue ยท 2 comments
lidel commented
It seems that gateways get โ for Origin isolation and ๐ EVEN when path gateway does not redirect to a subdomain.
This broken setup is not possible with go-ipfs, but someone could do this type of menace with a custom Nginx config, defeating the origin isolation provided by subdomains.
Figuring out if /ipfs/{cid}
returns HTTP 200 or 301 will be tricky because JS fetch
follows redirects.
Workarounds to investigate (did not check, just an idea):
load HTML+JS into a hidden iframe, and readwindow.location.origin
from iframe via postMessage and fail if origin is nothttps://{cid}.ipfs.{gateway}
- does not work due to CORS
- ? ? ? (comment with your ideas)
SoftCreatR commented
Just check the response URL:
let hash = `bafybeifx7yeb55armcsxwwitkymga5xf53dxiarykms3ygqic223w5sk3m`
let now = Date.now()
let testUrl = `https://ipfs.1-2.dev/ipfs/${hash}?now=${now}#x-ipfs-companion-no-redirect`
fetch(testUrl).then(res => {
if (response.url.startsWith(`https://${hash}`)) console.log(`Supports origin isolation`)
else console.log(`Does not support origin isolation`)
});
SgtPooki commented
@whizzzkid to investigate if this is solved with his recent changes