Closed gerneio closed 2 months ago
derekbekoe
commented
2 months ago Thanks for taking the time to write this up. However, the current behavior is by design and for security/privacy reasons. Introducing a query param would reduce the effectiveness of the interstitial ("anti-phishing") page.
gerneio
commented
2 months ago Unfortunate, because in my code i then have to write two workflows for how to get the correct referral header, and this is only an issue when using dev tunnels on that first access attempt. The only other thing that would alleviate this (besides removing the anti-phising page altogether) is if an additional header is passed through the tunnel to show the original referral header IF the anti-phising page was just shown to the user.
derekbekoe
commented
2 months ago Can you expand on your latest comment in relation to the referral headers and share more on the scenario? There may be another way to achieve your desired goal that doesn't involve adding a query param to allow skipping of the interstitial page.
gerneio
commented
2 months ago Normal/desired flow:
Problem flow (on first access with dev tunnel):
The click action that initiates these series of requests is performed on an anchor tag, therefore it is not possible to specifiy the header to skip the anti-phishing page alongside the GET navigation request.
Subsequently, I dont think it is possible for the Browser to send along the correct referer header once the phishing confirmation page hijacks the request flow. So besides opting for another way of specifying intent to skip the anti-phishing page (i.e. query param), the hijacking dev tunnel logic would need to somehow pass the original referer header to the down stream request.
Note, I know that people tend to not reccomend using the referer header for any sort of security measure, however I can assure you that is not the intended use case here.
Let me know if you still need some clarification.
derekbekoe
commented
1 month ago Understood. I have observed what you've described. When the anti-phishing cookie is not set, the confirmation page is displayed and on confirmation, the Referer is set to the tunnel URL. However, on subsequent requests when the cookie has been already set, the Referer is set to site X.
In the flow where the user goes from site X to site Y, it's important for us to ensure the anti-phishing page is displayed so it is clear to the user that they are accessing a dev tunnel. This is why we can't introduce a query param that allows the page to be skipped with no user interaction.
I know that per #151 (and the docs) we have a way to skip the anti-phishing page and avoid that unnecessary redirect by passing in the header
X-Tunnel-Skip-AntiPhishing-Page: True, however if the initial interaction to the devtunnel link comes from a user click/interaction from within a browser page (i.e. clicking on an anchor tag), there is no way to set that header (that I am aware of). I am requesting that we allow for a query param to be passed in the URL to essentially perform the same behavior (i.e.https://{TUNNEL_ID}.devtunnels.ms/?SkipAntiPhishing=true).