Open execjosh opened 2 years ago
One thing I just came across is NSHTTPCookieStorage. I also vaguely remember looking at it (and maybe using it) when I first implemented this.
If I understand correctly, adding a cookie to the sharedHTTPCookieStorage
will add the cookie to all requests sent by the app - not sure about web sockets, tho. If that's correct it would make the code a bit simpler
@execjosh did you see my last comment here by any chance?
Oops, I must have missed it. I will try to have a look at NSHTTPCookieStorage when I get a chance.
Use a randomly generated token to authenticate requests to the server for all endpoints, including WebSockets, which will help prevent naïve exploitation of the privilege escalation threat of the
/run/
endpoint. The token is passed to the node server via STDIN, which should sufficiently prevent eavesdropping.There is a new setting that toggles this functionality and is enabled by default.
Implementation details
This is implemented using
httpCookieStore
, which is only available on macOS 10.13+. However this project targets 10.11.The
WKWebView
injects the token as a cookie for requests from the foreground and background; so, this change should be transparent to all widgets. Additionally, theHttpOnly
flag is set on the cookie, which prevents it from being accessed from JavaScript.