search

neoascetic / rawgithack

Serves files from github, bitbucket and gitlab, but with the correct content types
https://raw.githack.com
MIT License
577 stars 89 forks source link

cross site spoofing with localStorage between 2 repos #55

Open bulk88 opened 4 years ago

bulk88 commented 4 years ago

If a Github Pages repo, is accessed through githack, in many cases a website will render and operate as intended locating all resources through githack instead of Github/Fastly, the user must visually ignore the address bar, but localStorage, ummm, origin will be "rawcdn.githack.com" and localStorage contents can easily be fetched later with a malicious github pages repo to the sensitive github pages repo running on wrong origin. Not sure if there is a real bug since github pages shouldn't have a concept of "logging in", but some GH pages sites do "login" with localStorage. Feel free to close if there is no quick fix.

I've used githack as a quick and dirty different "origin" for a GH Pages site when a CORS API WAF got tired of my no API key anonymous usage and punishes my Origin: header by omitting "Access-Control-Allow-Credentials: true" in response for some minutes to my Origin: header and I burned through the official domain and "http://localhost" already. file:// doesn't work as that makes a browser send "Origin: null" for XHR CORS.

binary-person commented 3 years ago

You shouldn't use githack cdn as a website. You should only use it to serve assets. Examples are js, css, img files, not html files

neoascetic commented 3 years ago

Well, you could use it for static websites — why not?

binary-person commented 3 years ago

why not?

I guess you can, but you need to be careful. Let's say there are site A and site B. Site A uses localStorage to store some info. Site B is malicious. Site B can easily get Site A's localStorage and bypass all cross-site related protections because they serve under the same domain

A remedy for this would be to instead, use github.io's system and serve a user under a subdomain instead, but that's likely not going to happen.

Efreak commented 2 years ago

You might be able to implement this by using subdomains instead of paths for user, service: bulk88.github.githackcdn/repo/commitish/path/file (or even put the repo in a subdomain as well). Then submit your cdn to the public suffix list and you should be good.

Edit: cloudflare now allows free users to use wildcards