Prevent loading anything but embeds on embeds domain

humanmade / protected-embeds

A drop-in replacement for WordPress.com protected embeds

11 stars 4 forks source link

Prevent loading anything but embeds on embeds domain #5

Closed goldenapples closed 8 years ago

goldenapples commented 8 years ago

Adds a couple sanity checks for security:

dies completely if the embeds domain is being used to load anything other than a protected iframe. This prevents it from being used to serve up the site, and potentially tricking a user into logging into the site from this domain, generating an auth cookie which can be sniffed.
ensures that embeds do not render on any domain other than the specified embeds domain.

This needs to be merged after #4, as it doesn't make sense to block embeds from the site url until the embeds are being served from the embeds domain.

See #2

goldenapples commented 8 years ago

I'm not sure exactly how this should be structured, as its conceivable that a site might want to do more with the mapped domain than just this plugin. Maybe we should add a filter that can be hooked into before dying. But at least this is a safety check where none existed before. Thoughts?

joehoyle commented 8 years ago

I think we should be able to compare the HTTP_HOST with the PROTECTED_EMBEDS_DOMAIN, and die in that case, therefore we'll just be blacklisting the embeds domain rather than anything not the main domain.

joehoyle commented 8 years ago

I think you did exactly that! Seems to be using spaces instead of tabs for some reason though :)

goldenapples commented 8 years ago

Seems to be using spaces instead of tabs for some reason though :)

Ah, yup. Darn editorconfig... Fixed now in 3d0f2e3