search

storacha / w3link

🪐 The IPFS gateway for web3.storage is not "another gateway", but a caching layer that sits on top of existing IPFS public gateways.
Other
24 stars 9 forks source link

feat: add csp to allowlist wss w3s api #41

Closed vasco-santos closed 1 year ago

vasco-santos commented 1 year ago

Also whitelists wss api's from web3.storage subdomains

travis commented 1 year ago

This makes sense to me, tho I'll note that @alanshaw and @Gozala and others (apologies if I'm forgetting who drove this conversation) raised concerns that the current allow-listing of the http *.web3.storage URLs makes it possible for people to deploy phishing websites that get around some of the restrictions we enforce with CSP.

For example: we disallow form submission to make it harder to make a phishing form that sends user information to an arbitrary third party, but if we allow access to our APIs they can just store that info in a DAG they control and harvest it that way.

I think the general vibe in the room this morning was that we should probably lock down CSP even more and disallow access to our APIs unless it will be an unreasonably large pain in the butt for us and/or the community, but I think folks were also inclined to push this up to the product/business level because there are implications for them - @dchoi27 might be worth organizing a meeting next week to kick this around?

dchoi27 commented 1 year ago

Thanks for flagging! IMO - in this case there would mainly be business considerations if we were considering to make things more open. The volume of phishing we were getting was untenable. If we'd rather not open access to our APIs, that's totally fine - it seemed more that there would be engineering value in doing so for our internal engineering team (being able to dogfood our own stack) without necessarily opening up security vulnerabilities (but lmk if I'm not understanding fully!)

travis commented 1 year ago

OK great - someone had a link to the issue that convinced us to open up the CSP to communication with our APIs, so I think one of the original goals was to enable a third party to build apps served from the gateway that talk to our APIs - disrupting those folks is probably the biggest downside of locking things down.

Do we have any way of telling how many people are doing something like this? Do we log the origin of requests to the access and uploads APIs? I'd be happy to grep around in some logs to get a sense of how many folks might be affected by closing off access to our APIs in sites served from the gateway if someone can point me in the right direction.

vasco-santos commented 1 year ago

The issue in question is https://github.com/nftstorage/nft.storage/issues/2275 @dchoi27 @travis

Do we have any way of telling how many people are doing something like this? Do we log the origin of requests to the access and uploads APIs? I'd be happy to grep around in some logs to get a sense of how many folks might be affected by closing off access to our APIs in sites served from the gateway if someone can point me in the right direction.

@travis thanks for your availability. This is likely using our older APIs, so if you have access to Cloudflare Dashboard you should be able to see https://dash.cloudflare.com/fffa4b4363a7e5250af8357087263b3a/web3.storage/analytics/traffic?referer=w3s.link&time-window=43200

vasco-santos commented 1 year ago

Closing this given we are also going to drop support for http API