From 4d7b28a7bc0eaf5edb0684168d756c5a6bcc889b Mon Sep 17 00:00:00 2001 From: Marcin Rataj Date: Mon, 12 Nov 2018 15:55:08 +0100 Subject: [PATCH] fix: disable redirect for CID-in-subdomain This is a fix of a regression for https://github.com/ipfs-shipyard/ipfs-companion/pull/537 that was introduced when X-Ipfs-Path header support was added. Until we are able to provide the same origin-based security guarantees at a local gateway, we should not redirect resources that use cid-in-subdomain deployment, as it is a strong hint they care about Origin-based isolation and we should not relax those guarantees. --- add-on/src/lib/ipfs-request.js | 6 ++++++ test/functional/lib/ipfs-request-gateway-redirect.test.js | 2 ++ 2 files changed, 8 insertions(+) diff --git a/add-on/src/lib/ipfs-request.js b/add-on/src/lib/ipfs-request.js index b2d00c619..9306b36bb 100644 --- a/add-on/src/lib/ipfs-request.js +++ b/add-on/src/lib/ipfs-request.js @@ -306,6 +306,12 @@ function isSafeToRedirect (request, runtime) { return false } + // For now we do not redirect if cid-in-subdomain is used + // as it would break origin-based security perimeter + if (IsIpfs.subdomain(request.url)) { + return false + } + // Ignore XHR requests for which redirect would fail due to CORS bug in Firefox // See: https://github.com/ipfs-shipyard/ipfs-companion/issues/436 // TODO: revisit when upstream bug is addressed diff --git a/test/functional/lib/ipfs-request-gateway-redirect.test.js b/test/functional/lib/ipfs-request-gateway-redirect.test.js index c1e2c1325..eaf6d3cfc 100644 --- a/test/functional/lib/ipfs-request-gateway-redirect.test.js +++ b/test/functional/lib/ipfs-request-gateway-redirect.test.js @@ -268,11 +268,13 @@ describe('modifyRequest.onBeforeRequest:', function () { it('should be left untouched for IPFS', function () { state.redirect = true const request = url2request('http://bafybeigxjv2o4jse2lajbd5c7xxl5rluhyqg5yupln42252e5tcao7hbge.ipfs.dweb.link/') + request.responseHeaders = [{ name: 'X-Ipfs-Path', value: '/ipfs/QmPhnvn747LqwPYMJmQVorMaGbMSgA7mRRoyyZYz3DoZRQ' }] expectNoRedirect(modifyRequest, request) }) it('should be left untouched for IPNS', function () { state.redirect = true const request = url2request('http://bafybeigxjv2o4jse2lajbd5c7xxl5rluhyqg5yupln42252e5tcao7hbge.ipns.dweb.link/') + request.responseHeaders = [{ name: 'X-Ipfs-Path', value: '/ipfs/QmPhnvn747LqwPYMJmQVorMaGbMSgA7mRRoyyZYz3DoZRQ' }] expectNoRedirect(modifyRequest, request) }) })