Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenURL: security implications #17

Open
nephros opened this issue Nov 20, 2023 · 1 comment
Open

OpenURL: security implications #17

nephros opened this issue Nov 20, 2023 · 1 comment
Labels
enhancement New feature or request question Further information is requested

Comments

@nephros
Copy link
Contributor

nephros commented Nov 20, 2023

So, with #11 merged, Users can be presented a link to hxxp://matrix.to/ and the "open with" dialog will pass it to Hydrogen.

Question: are we able to blacklist/whitelist valid URLs that may be set this way? Because now, such URLs will be set to the (authorized/logged-in!) view without looking at them, which could be used maliciously.

Maybe the handleUrlChange() function can be expanded too look at URLs closer, and not only detect invitations, but also filter not-allowed URLs or so.
@nephros nephros added enhancement New feature or request question Further information is requested labels Nov 20, 2023
@pherjung
Copy link
Contributor

If the only issue is changing the protocol, we can create an URL object in JS and check the protocol. This would be done in the openUrl function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nephros @pherjung