Open NDevTK opened 3 months ago
I don't quite follow this, how does one took advantage of this?
It looks like a harmless little fun thing for someone to edit the source code in their own client side via JavaScript.
The issue is that its not their own
its https://docs.flutter.dev
which is cross-site to the attackers page.
Well, yeah, someone could make this happen when they write a blog that links to docs.flutter.dev
.
But:
https://dartpad.dev/?id=<ID_OF_HARMFUL_CODE>
.Popups are allowed by default in most browsers after user activation such as a click. (Avoids a website being able to spam the user with popups)
In its self maybe harmless hence public issue however its a spoofing risk if the user trusts content on docs.flutter.dev with an API key
I think the solution here would be to restrict what code can be injected into the execution iframe, not the DartPad embedded iframe.
What happened?
Attacker code is injected on to the
docs.flutter.dev
dart-pad embed.Steps to reproduce problem
Additional info
I did think about making a PR in https://github.com/dart-lang/dart-pad/pull/2993 but made a mess instead. Think the fix is to
Only allow DartPad injection from window.parent
for both code and error logs.