ThiefMaster
commented
5 months ago Maybe showing a warning in the app that lockdown mode needs to be disabled would be the best option? Is there a reliable way to detect this?
Open EISSeuropa opened 5 months ago
ThiefMaster
commented
5 months ago Maybe showing a warning in the app that lockdown mode needs to be disabled would be the best option? Is there a reliable way to detect this?
EISSeuropa
commented
5 months ago There are ways to detect LM, which is not great privacy-wise actually. But maybe it would be better to detect and warn that the affected web feature is disabled. Which one exactly, I'm not sure, maybe several:
EDIT: Source: https://blacktop.github.io/presentations/0x41con_2023/HTML/index.html#0
tomasr8
commented
5 months ago Agreed, if we can detect the specific dexie error, we should show a warning in the app
EISSeuropa
commented
5 months ago It is also highly likely that people that would be affected would be aware of the issue. People that use LM are either tech-savvy or sensitised to the usability issues of activating LM. It's a niche demographic.
When accessing the web page from an iOS or MacOS device on Lockdown Mode, the following error displays:
This is to be expected, considering it's the purpose of Lockdown to prevent unwanted code execution and file access. Disabling Lockdown either system-wide or for that website exclusively allows the page to work again.
Tested on iOS 17.1 and MacOS 14.4.1, with both Safari (19618.1.15.11.14) and Safari Tech Preview Release 191 (Safari 17.4, WebKit 19619.1.6.3).
Impact: High (webpage unusable under these circumstances), Likelihood: Low (Lockdown Mode is an extreme security measure mostly used by the infosec community and potential target profiles only) Overall severity: Minor (can easily be circumvented by disabling Lockdown)
Action recommended: Document the issue and make not having Lockdown Mode activated a requirement for using the pwa.