search

joule-labs / joule-extension

Lightning payments extension for Chrome
MIT License
353 stars 62 forks source link

Ratelimit window creation requests #215

Open Technifocal opened 5 years ago

Technifocal commented 5 years ago

Description of the Feature or Idea

Ratelimit the speed at which sites can create getInfo()/sendInvoice()/makeInvoice() requests if they require opening a window (for example, getInfo(), if pre-approved, should not be ratelimited). In testing, a buggy/malicious site can easily open tens or hundreds of windows.

Existing Example(s) of Feature

Here is an example piece of code to trigger the malicious action:

<html>
    <header>
        <script src="https://unpkg.com/webln@0.2.0/dist/webln.min.js" integrity="sha384-mTReBqbhPO7ljQeIoFaD1NYS2KiYMwFJhUNpdwLj+VIuhhjvHQlZ1XpwzAvd93nQ" crossorigin="anonymous"></script>
        <script>
            async function alertInvoice() {
                var webln = await WebLN.requestProvider();
                var weblnbolt11 = await webln.makeInvoice({defaultAmount: "5", minimumAmount: "1", maximumAmount: "10"});
            }
        </script>
    </header>
    <body>
        <input type="button" onclick="for(var i = 0; i < 15; i++) {alertInvoice();}" value="Click me!" />
    </body>
</html>
wbobeirne commented 5 years ago

This should be pretty simple to auto-reject if they call it more than say 2 times per second. Thanks for the test case!