felixhageloh
commented
2 years ago One thing I just came across is NSHTTPCookieStorage. I also vaguely remember looking at it (and maybe using it) when I first implemented this.
If I understand correctly, adding a cookie to the sharedHTTPCookieStorage will add the cookie to all requests sent by the app - not sure about web sockets, tho. If that's correct it would make the code a bit simpler
execjosh
Use a randomly generated token to authenticate requests to the server for all endpoints, including WebSockets, which will help prevent naïve exploitation of the privilege escalation threat of the
/run/endpoint. The token is passed to the node server via STDIN, which should sufficiently prevent eavesdropping.There is a new setting that toggles this functionality and is enabled by default.
Implementation details
This is implemented using
httpCookieStore, which is only available on macOS 10.13+. However this project targets 10.11.The
WKWebViewinjects the token as a cookie for requests from the foreground and background; so, this change should be transparent to all widgets. Additionally, theHttpOnlyflag is set on the cookie, which prevents it from being accessed from JavaScript.