Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SVG and HTML inscriptions #1035

Merged
merged 11 commits into from
Dec 22, 2022
Merged

Support SVG and HTML inscriptions #1035

merged 11 commits into from
Dec 22, 2022

Conversation

casey
Copy link
Collaborator

@casey casey commented Dec 21, 2022
edited
Loading

This was easier than I thought. This serves all content with a CSP header value of default-src 'none'. When content is loaded in an iframe with this CSP, all outgoing requests from the iframe are disallowed. We can then serve SVG and HTML content in frames, and they can't make outgoing requests, lessening security concerns and avoiding breakage and references to off-chain content.

@casey casey changed the title Add SVG support Support SVG and HTML inscriptions Dec 21, 2022
@casey casey marked this pull request as ready for review December 21, 2022 06:13
@rot13maxi
Copy link
Contributor

Have you tried putting XSS into an html inscription?

@casey
Copy link
Collaborator Author

casey commented Dec 22, 2022

Have you tried putting XSS into an html inscription?

Good question!

The answer is yes, but I think it's okay. (Famous last words.)

This PR serves all content with the following header:

Content-Security-Policy: default-src 'none' 'unsafe-eval' 'unsafe-inline'

This allows HTML inscriptions to include and execute arbitrary JS. However, default-src 'none' prevents all outgoing requests, so it can't load content from other sites, or make requests to other websites.

It does load from the same origin as other content from ordinals.com, but having the same origin as ordinals.com is not exploitable, because it isn't a sensitive browsing context. It doesn't have any cookies, or access to any special permissions.

If ordinals.com ever becomes a sensitive browsing context, e.g. we have cookies, we'll need to start serving inscription content from a different origin, so that it doesn't have access to those cookies.

We eventually want to relax the sandboxing, so that that inscriptions can request other inscriptions, so eventually we'll want to:

  • Serve inscription content from a unique origin, e.g. content.ordinals.com
  • Allow requests only to content.ordinals.com
  • Serve inscription content and nothing else from content.ordinals.com
  • Change the content security policy that content is served with to allow requests to content.ordinals.com

The goal is to allow HTML inscriptions that can build and remix other inscriptions. We might also want to serve other stuff from content.ordinals.com, like the current block hash, so that HTML inscriptions can use the current block hash as a source of randomness.

@casey casey merged commit 8639b61 into master Dec 22, 2022
@casey casey deleted the svgs branch December 22, 2022 20:47
@casey
Copy link
Collaborator Author

casey commented Dec 22, 2022

@rot13maxi Definitely let me know if the above makes sense or not, and if I'm missing anything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@raphjaph raphjaph raphjaph approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@casey @rot13maxi @raphjaph