search

ScriptaGames / zorbio

A 3D multiplayer WebGL game
MIT License
8 stars 1 forks source link

what the heck is http://cp.poundzero.net/ and why is pointing at zor.bio #217

Closed Jared-Sprague closed 8 years ago

Jared-Sprague commented 8 years ago

found this in google search results, totally weird, it's the latest build: http://cp.poundzero.net/

mwcz commented 8 years ago

What the... we should proooooolly set up CORS on the server and restrict ACAO to our domain. That should prevent anything like this from being possible

Jared-Sprague commented 8 years ago

Ok interesting it looks like the A record actually points to the IP address of our load balancer:

[jsprague@localhost zorbio]$ dig cp.poundzero.net

; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> cp.poundzero.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2247
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cp.poundzero.net.      IN  A

;; ANSWER SECTION:
cp.poundzero.net.   3442    IN  A   96.126.119.51

;; Query time: 2 msec
;; SERVER: 10.11.5.19#53(10.11.5.19)
;; WHEN: Thu Mar 03 07:54:07 EST 2016
;; MSG SIZE  rcvd: 61

[jsprague@localhost zorbio]$ 
[jsprague@localhost zorbio]$ ping cp.poundzero.net
PING cp.poundzero.net (96.126.119.51) 56(84) bytes of data.
64 bytes from nb-96-126-119-51.dallas.nodebalancer.linode.com (96.126.119.51): icmp_seq=1 ttl=50 time=46.8 ms
64 bytes from nb-96-126-119-51.dallas.nodebalancer.linode.com (96.126.119.51): icmp_seq=2 ttl=50 time=46.7 ms
64 bytes from nb-96-126-119-51.dallas.nodebalancer.linode.com (96.126.119.51): icmp_seq=3 ttl=50 time=46.7 ms
mwcz commented 8 years ago

@Jared-Sprague I just created a branch called disable-cross-origin that should fix this. As in, they can host our static content (no way to stop them from doing that honestly), but they won't be allowed to connect to our websocket server. So no one can play the game at their domain. Could you test it out? I want to make sure I didn't cause any side effects before pushing it out.

To test:

git up
git checkout disable-cross-origin
npm start
sudo echo "localhost localhust" >> /etc/hosts
firefox localhost:3000 localhust:3000

Try to play with both tabs. The localhost tab should work, the localhust tab should fail. I didn't bother adding a friendly error screen (check console for errors) but we can if you like.

Jared-Sprague commented 8 years ago

Getting this in prod: screenshot from 2016-03-04 22-26-04