- Mar 22, 2024
-
-
dakkar authored
`url.host` includes the port, `url.hostname` doesn't. `http://foo.example.com/something` and `http://foo.example.com:1234/something` are different resources served by different hosts, we should not confuse them note that `(new URL('http://localhost:80')).host` is `localhost` and `(new URL('https://localhost:443')).host` is also `localhost`: the default port gets correctly ignored this change should not really affect anything in "the real world", as we're all serving over https from port 443, but it may stop some impersonation attacks
-
dakkar authored
if we are asked to fetch a URL that points to our own instance, but we can't resolve that from our database, the URL is bad and should be rejected this should also stop some SSRF attacks
-
dakkar authored
when fetching an AP resource, the remote server may return HTTP 302 or similar, but it should never bounce us to a different host
-
dakkar authored
so we can use it elsewhere
-
dakkar authored
this makes it harder for a malicious actor to pretend to be someone else
-
dakkar authored
we already check that `id` matches the host, but collections must match too! otherwise a malicious actor could present us with someone else's collections
-
- Mar 14, 2024
-
-
dakkar authored
View MR for information: !453 Closes #436 Approved-by: Essem <smswessem@gmail.com> Approved-by: Leah <kevinlukej@gmail.com>
-
dakkar authored
View MR for information: !468 Closes #445 Approved-by: Luna <her@mint.lgbt> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>
-
dakkar authored
View MR for information: !466 Approved-by: Luna <her@mint.lgbt> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>
-
dakkar authored
View MR for information: !467 Closes #458 Approved-by: Amelia Yukii <amelia.yukii@shourai.de> Approved-by: Leah <kevinlukej@gmail.com> Approved-by: Marie <marie@kaifa.ch>
-
Marie authored
View MR for information: !470 Approved-by: Amelia Yukii <amelia.yukii@shourai.de> Approved-by: Marie <marie@kaifa.ch> Approved-by: dakkar <dakkar@thenautilus.net>
-
Luna authored
View MR for information: !471 Approved-by: Amelia Yukii <amelia.yukii@shourai.de> Approved-by: Luna <her@mint.lgbt>
-
- Mar 13, 2024
- Mar 10, 2024
-
-
dakkar authored
We can't make the cookie `HttpOnly` because we're setting it from Javascript, but I'm not sure it's worth the trouble to redesign that: `JSON.parse(localStorage.account).token` gives you the token anyway, hiding the cookie from JS won't offer much protection. At least we can mark is `Secure` (meaning, only send it over HTTPS) and _delete it on logout_ (it wasn't!)
-
dakkar authored
not the most elegant solution, but simple and robust
-
- Mar 09, 2024
-
-
dakkar authored
-
- Mar 08, 2024
-
-
Amelia Yukii authored
View MR for information: !463 Approved-by: Marie <marie@kaifa.ch> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>
-
dakkar authored
-
- Mar 07, 2024
-
-
dakkar authored
View MR for information: !461 Approved-by: Amelia Yukii <amelia.yukii@shourai.de> Approved-by: Luna <her@mint.lgbt>
-
- Mar 05, 2024
- Mar 04, 2024
-
-
Amelia Yukii authored
View MR for information: !452 Approved-by: Amelia Yukii <amelia.yukii@shourai.de> Approved-by: Leah <kevinlukej@gmail.com>
-
dakkar authored
-
Amelia Yukii authored
View MR for information: !450 Approved-by: Luna <her@mint.lgbt> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>
-
Amelia Yukii authored
View MR for information: !394 Approved-by: Marie <marie@kaifa.ch> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>
-
dakkar authored
-
Amelia Yukii authored
View MR for information: !457 Approved-by: Luna <her@mint.lgbt> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>
-
Amelia Yukii authored
View MR for information: !458 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>
-
Leah authored
-
Amelia Yukii authored
View MR for information: !459 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>
-
Leah authored
-
- Mar 03, 2024
- Mar 02, 2024
-
-
Amelia Yukii authored
View MR for information: !447 Approved-by: Amelia Yukii <amelia.yukii@shourai.de> Approved-by: Marie <marie@kaifa.ch>
-
dakkar authored
-
Amelia Yukii authored
View MR for information: !446 Closes #434 Approved-by: Amelia Yukii <amelia.yukii@shourai.de> Approved-by: Marie <marie@kaifa.ch>
-
dakkar authored
-
- Feb 25, 2024
-
-
Amelia Yukii authored
View MR for information: !445 Approved-by: Marie <marie@kaifa.ch> Approved-by: dakkar <dakkar@thenautilus.net>
-