Fix "Origin" isolation check

Question

Fix "Origin" isolation check

lidel opened this issue 4 years ago · 2 comments

It seems that gateways get ✅ for Origin isolation and 💚 EVEN when path gateway does not redirect to a subdomain.

This broken setup is not possible with go-ipfs, but someone could do this type of menace with a custom Nginx config, defeating the origin isolation provided by subdomains.

Figuring out if /ipfs/{cid} returns HTTP 200 or 301 will be tricky because JS fetch follows redirects.

Workarounds to investigate (did not check, just an idea):

~~load HTML+JS into a hidden iframe, and read window.location.origin from iframe via postMessage and fail if origin is not https://{cid}.ipfs.{gateway}~~
- does not work due to CORS
? ? ? (comment with your ideas)

Answer 1 · 2021-10-02T08:22:32.000Z

Just check the response URL:

let hash = `bafybeifx7yeb55armcsxwwitkymga5xf53dxiarykms3ygqic223w5sk3m`
let now = Date.now()
let testUrl = `https://ipfs.1-2.dev/ipfs/${hash}?now=${now}#x-ipfs-companion-no-redirect`

fetch(testUrl).then(res => {
   if (response.url.startsWith(`https://${hash}`)) console.log(`Supports origin isolation`)
   else console.log(`Does not support origin isolation`)
});

Answer 2 · 2022-11-22T19:52:33.000Z

@whizzzkid to investigate if this is solved with his recent changes