Skip to content

Commit

Permalink
fix: disable redirect for CID-in-subdomain (#617)
Browse files Browse the repository at this point in the history
This is a fix of a regression for
#537
that was introduced when X-Ipfs-Path header support was added.

Until we are able to provide the same origin-based security guarantees
at a local gateway, we should not redirect resources that use
cid-in-subdomain deployment, as it is a strong hint they care about
Origin-based isolation and we should not relax those guarantees.
  • Loading branch information
lidel authored Nov 12, 2018
1 parent f008b09 commit 458bf34
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
6 changes: 6 additions & 0 deletions add-on/src/lib/ipfs-request.js
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,12 @@ function isSafeToRedirect (request, runtime) {
return false
}

// For now we do not redirect if cid-in-subdomain is used
// as it would break origin-based security perimeter
if (IsIpfs.subdomain(request.url)) {
return false
}

// Ignore XHR requests for which redirect would fail due to CORS bug in Firefox
// See: https://github.com/ipfs-shipyard/ipfs-companion/issues/436
// TODO: revisit when upstream bug is addressed
Expand Down
2 changes: 2 additions & 0 deletions test/functional/lib/ipfs-request-gateway-redirect.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -268,11 +268,13 @@ describe('modifyRequest.onBeforeRequest:', function () {
it('should be left untouched for IPFS', function () {
state.redirect = true
const request = url2request('http://bafybeigxjv2o4jse2lajbd5c7xxl5rluhyqg5yupln42252e5tcao7hbge.ipfs.dweb.link/')
request.responseHeaders = [{ name: 'X-Ipfs-Path', value: '/ipfs/QmPhnvn747LqwPYMJmQVorMaGbMSgA7mRRoyyZYz3DoZRQ' }]
expectNoRedirect(modifyRequest, request)
})
it('should be left untouched for IPNS', function () {
state.redirect = true
const request = url2request('http://bafybeigxjv2o4jse2lajbd5c7xxl5rluhyqg5yupln42252e5tcao7hbge.ipns.dweb.link/')
request.responseHeaders = [{ name: 'X-Ipfs-Path', value: '/ipfs/QmPhnvn747LqwPYMJmQVorMaGbMSgA7mRRoyyZYz3DoZRQ' }]
expectNoRedirect(modifyRequest, request)
})
})
Expand Down

0 comments on commit 458bf34

Please sign in to comment.