search

crypto-com / chain-desktop-wallet

Crypto.com DeFi Desktop Wallet
https://crypto.com/defi-wallet
Other
363 stars 112 forks source link

fix: webview 301/302 navigate to unwanted URL #1392

Closed XinyuCRO closed 8 months ago

XinyuCRO commented 8 months ago

1379 follow up, webview redirection can still bypassable by using 301/302

Test script

Use the below script, run it with python3, and open DApp Browser with http://localhost:8080

from http.server import BaseHTTPRequestHandler, HTTPServer

hostName = "localhost"
serverPort = 8080

class MyServer(BaseHTTPRequestHandler):
    def do_GET(self):
        Page = "<html><script src=\"https://unpkg.com/vconsole@latest/dist/vconsole.min.js\"></script><script>var vConsole = new window.VConsole(); alert(1); </script></html>"
        self.send_response(301)
        self.send_header("Content-type", "text/html")
        self.send_header("Location", "smb://test:test@localhost/")
        self.end_headers()
        self.wfile.write(bytes(Page, "utf-8"))

if __name__ == "__main__":        
    webServer = HTTPServer((hostName, serverPort), MyServer)
    print("Server started http://%s:%s" % (hostName, serverPort))

    try:
        webServer.serve_forever()
    except KeyboardInterrupt:
        pass

    webServer.server_close()
    print("Server stopped.")
crypto-matto commented 8 months ago

Tested & fulfilled the requirements