Fetch permissions

[KyGost]

Unless if I'm mistaken, there is a lot of room for abuse with PUT and DELETE. We should make a permissions pop up eventually.

Perhaps approve permissions by URL, with temporary and permanent options?

[RangerMauve]

I think CORS would be a great place to start for this.

If a drive can set this header it can configure how it can be interacted with.

Beaker uses a .csp field in the index.json. Maybe we could take a similar approach? https://docs.beakerbrowser.com/developers/index.json-manifest#csp

[RangerMauve]

To enable that, we'd want to see if index.json exists, then fetch the csp field from it after parsing it as JSON and set that as the (Content-Securty-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) header. https://github.com/RangerMauve/dat-fetch/blob/master/index.js#L110

[RangerMauve]

An extension could be useful here too.

Maybe the first time an origin tries to do a PUT or DELETE into a drive, the extension will prompt the user to allow it via a popup.

We could use window.open to create the window and window.postMessage to communicate the users's choice from it.

[KyGost]

After discussing me and @RangerMauve have decided: An extension that does:

• Perm request on create
• Perm request on put/delete
• Perm request on seed

If drive has negative perms in index.json:

• Perm request on get/download

Permission for a higher capacity also grants lower capacities

Perms are per drive + site pair

Perms stored in the extension's indexedDB

Need to use WebRequest API, changing fetch won't affect enough!

[KyGost]

Requests will occur at: https://github.com/AgregoreWeb/extension-agregore-permissions-fetch Agregore-side, we need:

• Negative permissions in index.json

[RangerMauve]

Mind elaborating a bit more on what negative permissions in index.json would look like? :o

[KyGost]

Seems you were thinking CSP. If not that, perhaps (GET is the only assumed positive permissions for now):

permissions: {
  GET: {
    'hyper://MYSITE'
  }
}

Not sure if the list would be sites that can access it or can't access it.

[RangerMauve]

Ah yeah, the CSP thing I was thinking of would be to implement the same function that Beaker has: https://docs.beakerbrowser.com/developers/index.json-manifest#csp

[KyGost]

That makes sense. Can it be used to prevent connections? Browsed over it quickly and it seemed to be specifying what it can connect to?

[RangerMauve]

Yeah, it can restrict domains from doing requests to the particular hyperdrive.

[jolindroth]

Hey, I think I could pick this issue up with some support. Could someone help break down the task into more manageable chunks?

[RangerMauve]

@jolindroth Thanks for offering to help!

One approach would be via a web extension extension that would do something like the following:

• Keep track of "permissions" in something like idb.js
  • Map the "origin" to which hyper:// URL it has access to
• Use WebRequest to intercept hyper (and ipfs?) URLs
  • I think you can get the origin from the tab info
• If it isn't the "same origin" requesting it, check if that origin already has permission to access this site.
  • Maybe we only care about PUT / POST and DELETE for now?
  • If the origin doesn't have permission, try prompting the user to ask them if it should be allowed
  • There should be an option to "don't ask again" when denying so that sites can't spam you too much.
  • Not sure how best to surface this permission prompt. Maybe with tabs.createWindow() in the extension and having it send back a message upon confirm/deny?

This should be a good first step to see how permissions could work and leaves room for more fine-grained permissions and fetching permission info from naifests within the site itself down the line.

Does that feel like something you'd be comfortable taking on? Is there more detail that you'd need to get started?

In the future it might be cool if we could dynamically change the CORS header on webistes with a permission prompt too. But that's probably a separate issue. 😁

[jolindroth]

Thanks, @RangerMauve. I'll give it a shot. Could I reach out to you on discord if I need to ask something?

[RangerMauve]

Thanks, @RangerMauve. I'll give it a shot. Could I reach out to you on discord if I need to ask something?

Yes! Feel free to chat about it on https://discord.gg/QMthd4Y or https://matrix.to/#/#agregore:mauve.moe I'm usually most active on weekdays and sometimes Sundays. 😁

[RangerMauve]

An additional bit would be the ability to bypass CORS for general sites.

Here's how one could go about doing this:

• Start by using WebRequest APIs to inject CORS headers to bypass restrictions
• Use the onHeadersRecieved API and inject CORS headers to be more permissive
• Try to use the fetch() API to make a CORS request that would typically break
• Fix any bugs until that request is possible
• Inject a JS API into tabs on boot which adds something like navigator.requestCORSBypass(urlpattern)
• The background page should keep a map of domains and URL patterns of who can bypass cors
• When a request comes into onHeadersRecieved, check if the origin making the request is in the map, and then check that the URL of the request matches the requested pattern
• The API can be injected into tabs with content scripts
• The API should call back to the background page to add the domain + url pattern to the map
• Once this is working, use IndexedDB or LocalStorage to persist this data
• Finally there should be a page that can list the origins that have CORS bypasses so they can be revoked
• We may also want to add a BrowserAction which can show whether the current page has CORS bypass permissions and whether they should be revoked.

[Pantyhose-X]

Thanks, @RangerMauve. I'll give it a shot. Could I reach out to you on discord if I need to ask something?

Yes! Feel free to chat about it on https://discord.gg/QMthd4Y or https://matrix.to/#/#agregore:mauve.moe I'm usually most active on weekdays and sometimes Sundays. 😁

Add Contact to https://rvlt.gg/