As stated in the readme, CORS make it so you can't download files from discord directly. Disbox implements 2 ways to solve this:
The recommended one: a chrome extension that acts as a local proxy.
One for when you're in a hurry: an external proxy (currently allOrigins).
In the current state, Disbox simply acknowledges that using an external proxy is less secure (becuase someone else can see your files), and that if you don't trust the proxy (which is a whole other discussion), you should just download the extension.
However, it may be a good idea to also encrypt the files, for situations where the extension is not used. It's worth noting file encryption is not neccesary for extension usage as the files are secured by Discord itself.
It's possible to keep Disbox's current model, where the server can't access the files itself, and all files are recoverable by the user, and provide a simple implementation, using the following flow:
When uploading, encrypt each chunk of the file using the webhook URL as the encryption key.
Do this for every file, even ones that are uploaded when the extension is installed, so they could be downloaded even without it.
This also has a few disadvantages:
It's not neccesarily the best direction. It may be better to just make the external proxy needed in less use cases, for example, using an app or a Firefox extension.
It makes the files harder to recover. If the Disbox client goes offline for some reason, users which urgently need their files can't just download the files as chunks and merge them manually - it requires extra work and manual decryption.
It doesn't follow Disbox's current policy which is not handling security - and leaving it all to Discord. Truth be told, I'm not a security expert and sometimes it's better to admit that something is insecure (and let cautious users encrypt it before uploading), rather than claiming something is secure when you can't actually promise that.
Even given all of these, the task at hand doesn't seem that complex, and it is a significant security improvemnt for proxy users - so it may still be worth to add it.
Happy to hear feedback about this. I'd like to know what other people think and how important that is. Do you trust the proxy server? Do you even use it, or did you install the extension? Are you even aware you're exposing your data to a 3rd party? Maybe just a disclaimer is needed? Please share your opinions.
DisboxApp
commented
1 year ago
As stated in the readme, CORS make it so you can't download files from discord directly. Disbox implements 2 ways to solve this:
In the current state, Disbox simply acknowledges that using an external proxy is less secure (becuase someone else can see your files), and that if you don't trust the proxy (which is a whole other discussion), you should just download the extension.
However, it may be a good idea to also encrypt the files, for situations where the extension is not used. It's worth noting file encryption is not neccesary for extension usage as the files are secured by Discord itself.
It's possible to keep Disbox's current model, where the server can't access the files itself, and all files are recoverable by the user, and provide a simple implementation, using the following flow:
This also has a few disadvantages:
Even given all of these, the task at hand doesn't seem that complex, and it is a significant security improvemnt for proxy users - so it may still be worth to add it.
Happy to hear feedback about this. I'd like to know what other people think and how important that is. Do you trust the proxy server? Do you even use it, or did you install the extension? Are you even aware you're exposing your data to a 3rd party? Maybe just a disclaimer is needed? Please share your opinions.