kentonv
commented
8 years ago Hi! This appears to be a Sandstorm bug. #2606 will fix it. Should be released by Monday.
Open n-a-m-e opened 8 years ago
kentonv
commented
8 years ago Hi! This appears to be a Sandstorm bug. #2606 will fix it. Should be released by Monday.
kentonv
commented
8 years ago Hmm, on further investigation, we're not sure if this change is safe. The problem is that we have no way of forcing Content-Security-Policy headers on the blob itself. This doesn't matter for a pdf blob, but if you were to stuff some HTML into a blob and then navigate to it, it seems like that HTML would be able to escape any Content-Security-Policy we apply.
We will need to investigate this more.
One alternative work-around: You could add an endpoint to your server which accepts a POST and reflects the same content back. Then instead of displaying the blob directly, you would POST the blob content up to the server so that it is displayed back. This is sad because it would waste some bandwidth and a network round-trip just to deliver some data to the client that the client already had, but it gives Sandstorm the opportunity to add the proper Content-Security-Policy headers in the meantime.
What do you think?
Sohalt
commented
6 years ago I have only briefly investigated this, but on Firefox 63.03.1 for Arch Linux the CSP seems to propagate to HTML blobs when navigating to them.
ocdtrekkie
commented
4 years ago This would be a good one to revisit, as I recall it adds a lot of pain for various app export/download options. And there is an open PR already. Perhaps we can do more investigation/testing on the security concern.
zenhack
commented
3 years ago I'm not sure I follow what the security issue is; what are we concerned could happen if we allow this?
ocdtrekkie
commented
3 years ago "but if you were to stuff some HTML into a blob and then navigate to it, it seems like that HTML would be able to escape any Content-Security-Policy we apply" appears to be the concern. Perhaps we can test that case? I guess I assume if we allow a blob: the browser is going to try to download it, not render/navigate it, but perhaps I am wrong.
zenhack
commented
3 years ago Ah, I think I understand the concern: if we navigate to a blob: URL, does the browser enforce our CSP on the loaded document itself? If the answer is no, then this would allow an app to circumvent the CSP we set for sandboxing purposes.
So we should test this -- @Sohalt's comment suggests that the CSP may be enforced on the loaded HTML too, in which case this is fine.
ocdtrekkie
commented
2 years ago HedgeDoc is also impacted by this one.
Hi I'm slowly porting invoiceninja. It dynamically creates a pdf with pdfmake and then allows the user to download it.
When I'm inside the grain URL, e.g. https://24ba72c5324e3dea1d5ae1bf73e7e448.xxx.sandcats.io/dashboard this works fine but when I'm inside the sandstorm UI e.g. https://xxx.sandcats.io/grain/NZosSy6HJnux4nCkuqeyJ7 i get the following content security policy message in the javascript console
Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://24ba72c5324e3dea1d5ae1bf73e7e448.xxx.sandcats.io/0e3d5466-ecc3-4b32-9234-0681604cdd0b (“frame-src https://*.xxx.sandcats.io”).Any help on how to fix this would be appreciated. Thanks