joevennix
commented
9 years ago If node-webkit supports it, you might look into adding the Content-Security-Policy meta tag to your templates to prevent inline script from running.
Closed joevennix closed 9 years ago
joevennix
commented
9 years ago If node-webkit supports it, you might look into adding the Content-Security-Policy meta tag to your templates to prevent inline script from running.
devgeeks
commented
9 years ago Funny you should mention that. The 1.2.0 version of the app has CSP. It at least pukes an error if that is attempted.
There seems to be a problem with iOS and CSP. It might be a Cordova issue. I'll make sure that's sorted out before I release iOS.
edit: It turns out the CSP just hasn't been merged into the iOS branch. It should be fine by the time it's released.
joevennix
commented
9 years ago Ah, now I see you have the meta tag on master: https://github.com/devgeeks/Encryptr/blob/master/www/index.html#L12 I was using 1.1.0 from the website.
That CSP policy seems excessively lax though, you can load any https:// URL. So you can still inject a script with a src of any https:// link...
kenmanheimer
commented
9 years ago Problem with this in desktop browser - in permissive Chrome or plain Firefox:
abc"def and save it" to abckenmanheimer
commented
9 years ago (Sorry, my last comment belonged in the PR, not this issue.)
Reproduce:
<script>alert(Object.keys(this))</script>.Results:
Click to view the password you just saved, you'll get a popup containing:
Unfortunately this script has the full power of node. This is the downside of privileged script in the DOM :(
<script>require('child_process').spawn('touch', ['/tmp/owned'])</script>etc