search

dart-lang / pub-dev

The pub.dev website
https://pub.dev
BSD 3-Clause "New" or "Revised" License
776 stars 145 forks source link

Consider designing a redirector service for pub.dev #2977

Open jonasfj opened 4 years ago

jonasfj commented 4 years ago

To mask referrer header, we should consider making external links go through a redirect. This also hardens a few other XSS vectors.

See: https://en.wikipedia.org/w/index.php?title=URL_redirection&oldid=917753021#Referrer_masking

Note: It is critical that such a service only allows redirecting URLs embedded on pub.dev, and cannot be used for arbitrary URL redirection. Hence, URLs would need signing or something else.

jonasfj commented 4 years ago

Note. it's not clear if we should do this. I just want to open the discussion.

See also: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md

sigurdm commented 3 days ago

I'm not sure this is still relevant. @jonasfj should we just close?