search

3-Round-Stones / callimachus

Callimachus is a highly scalable platform for creating and running data-driven websites
Other
95 stars 24 forks source link

Allowed Origins Should Restrict Scripts Both Ways #233

Closed catch-point closed 8 years ago

catch-point commented 8 years ago

In Callimachus 1.4 the Allowed origins field in the home folder prevents external scripts from access hosted resources if they are from an unknown origin. In Callimachus 1.5 this should be extended to

1) Prevent hosted scripts from accessing resources located in an unknown origin, 2) Prevent hosted from submitting forms to unknown origins, and 3) Prevent unknown origins from embedding (via iframe) hosted resources

All of these restrictions can be disabled by using a '*' as an allowed origin.

Note that this changes for this issue should not prevent styles and scripts from being inline and using eval.

catch-point commented 8 years ago

Fixed with 54940a769096a570119c78da94abbe7955031d5d