search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
11.12k stars 1.1k forks source link

Disabling CTRL+L not working #15751

Open SaeedFazlollahzadeh opened 3 years ago

SaeedFazlollahzadeh commented 3 years ago

Cockpit version: 227-1 OS: Ubuntu 20.10

Steps to reproduce

I did install https://chrome.google.com/webstore/detail/shortkeys-custom-keyboard/logpjaacgmcbpdkdchjiaagddngobkck on Google Chrome and set "ctrl+l" to do nothing. This works fine in every pages and tabs I have, but when I go to 192.168.43.10:9090, pressing "ctrl+l" goes to address bar. I tried to check the files of this extension but found nothing regarding if any IP Addresses are excluded.

I use "ctrl+l" many times to clear the page, but every single time I do this I should click on the terminal page to prevent refreshing the page by mistake.

garrett commented 3 years ago

Cockpit uses a strict level of CSP (Content Security Policy).

My guess is that this extension probably injects JavaScript into the page, which is explicitly forbidden by Cockpit (as you wouldn't want a rogue extension to look at and interact with your server outside of your control).

I'm assuming this is on the terminal page of Cockpit, correct? We do have some issues with not being able to input various keystrokes and I have written about a solution for it @ https://github.com/cockpit-project/cockpit/issues/14545#issuecomment-693412771 — but it's not 100% what you would expect (as browsers do not support this)... and it's not implemented yet.

garrett commented 3 years ago

If the extension does mange to override Ctrl+L, perhaps that's one we might be able to prevent doing the default thing. If so, we might be able to actually handle this one in Cockpit directly. I do see that the key is caught and acted upon in the terminal, in Firefox at least, but also causes the entry bar to be focused.

SaeedFazlollahzadeh commented 3 years ago

Since my IPs are private, it does not matter if Cockpit allows explicit JS injection and if needed I can modify Cockpit files.

I'm assuming this is on the terminal page of Cockpit, correct?

Yes, that's right. I saw this behavior being focused on the bar on both Google Chrome and Firefox.

garrett commented 3 years ago

Since my IPs are private, it does not matter if Cockpit allows explicit JS injection and if needed I can modify Cockpit files.

Can your browser reach any IPs outside your network? (You're typing on GitHub, which isn't on your internal network; it's external.)

Without CSP, an extension could theoretically inject a script inside Cockpit, harvest information, and send it outside of your network. Having a strict CSP prevents stuff like that from happening.

garrett commented 3 years ago

Even still, it's simply not possible to capture some keystrokes. Some are simply reserved by the browser and it ignores anything form web content.

There was a bug (now closed as WONTFIX) reported to Chromium back in 2012 about this: https://bugs.chromium.org/p/chromium/issues/detail?id=33056

Then other bugs were opened to make an API for it in 2011 and 2012: https://bugs.chromium.org/p/chromium/issues/detail?id=84332 https://bugs.chromium.org/p/chromium/issues/detail?id=119881

And this led to a proposal for a BrowserKeys API in 2012: https://www.chromium.org/developers/design-documents/extensions/proposed-changes/apis-under-development/browser-keys

And all that's... gone absolutely nowhere for a decade, basically.

Meanwhile, a similar problem exists in Firefox and WebKit... and it still has gone nowhere. It's a web browser platform issue. The best we can do is capture the keys, preventDefault on keyboard events, hope the browser doesn't force override the keystrokes, and try to implement a workaround (like I suggested with something like a sticky keys concept).

garrett commented 3 years ago

However, the fact that the extension can actually disable it in Chrome is encouraging! Thanks for filing the issue.

I should bring up keyboard handling with @marusak again.

SaeedFazlollahzadeh commented 3 years ago

Can your browser reach any IPs outside your network? (You're typing on GitHub, which isn't on your internal network; it's external.)

Yes, I can reach the internet (not only the intranet). The topology is: My laptop with internet access -- Some Virtual Machines in Oracle VirtualBox

I'm using Chrome and both GitHub and 192.168.43.10 addresses are beside each other.

The reason I want to disable this policy is that I need to copy from internet web pages and paste into the terminal to run some commands or solve some issues. I cannot paste directly into the console windows of my VM.

I should mention that I tried to change the "clear-screen" behavior of Linux to another shortcut like Ctrl+I, but I saw some misbehavior, so I denied applying it again.

garrett commented 3 years ago

Right, my point about mentioning that your browser has access to external networks was that a nefarious script could be the bridge between your server and the Internet, even if your server itself doesn't have access to the Internet... if we didn't use CSP. We use strict security for good reasons, to outright prevent bad things from happening. So it's not a good idea to disable security. (Bad things probably won't happen, but you'd be opening up your server for the possibility of it.)

I was just explaining why we harden security, and why you shouldn't disable that.

A more proper fix is to understand what the extension is doing, and see if we can just directly do that in Cockpit. (It might be possible, but it also might not.)

Extensions usually run in a different process than pages, but some extensions inject some code into pages. As the extension you're using isn't working on Cockpit, but works on other sites, it would strongly indicate that it's injecting code into all websites to provide its functionality. It's probably a fine extension to trust (hopefully, otherwise you shouldn't use it), but there are some malicious extensions that inject code into pages.

(Most of the time, these bad acting extensions are removed from the official extension sites, but not always. They have to be found first. I know Mozilla scans their code programmatically and would hope Google does too. But there's also the need for people to review the submitted code as well. Sometimes intentionally bad extensions have made it into the extension sites, both Mozilla's and Google's... although Mozilla seems to do a much better job at curation, as I've seen news articles about nefarious extensions for Google Chrome at least every few months. This is why it's important to keep extensions low and only use extensions you trust. Not every site or web app uses CSP like we do.)

Again, the fact that the extension is blocking the URL bar from control-L within the page for other sites is promising (unless it's talking to a counterpart script that's disabling it at the browser level too). If it's doing this 100% from within the page, we should be able to do that in Cockpit too, and this would benefit everyone.

I'd like for us to look into seeing if it's possible to do this from within Cockpit itself (which everyone would benefit from), instead of allowing your extension to work (which the only way for that to happen is to severely impact security).

Meanwhile, you could also type clear if you don't want to see the previous stuff in your terminal.

(BTW: I do hit control-L in my native terminals also, and have for decades, so I understand the issue with muscle-memory, and I empathize with you. I, also, like to have the backlog hidden from me at times. It's sometimes just noise that gets in the way. We all could use less noise to distract us, especially at various times.)