will-hanlen
commented
1 week ago the main goal of sky's security model is to ensure:
- a shrub's frontend can only send pokes to itself and its children
- a response can only by swapped into the current window (not other windows or sky's wrapping html)
the main paths forward are:
option 1: sanitize everything
methods:
- set correct CSP meta tag
- htmx.config.allowEval = false
- removes hx-on: attributes
- removes hx-vals with the js: prefix
- removes hx-headers with the js: prefix
- htmx.config.selfRequestsOnly = true
- only trust content from ship domain
- htmx.config.allowScriptTags = false
- no evaluation of script tags
- htmx.config.historyCacheSize = 0
- js can be re-sanitized on the frontend as well for double-security
- make sure that post requests dont go to other domains
- make sure that hx-target is within current window
- css sanitization
option 2: everything is an iframe
- current hawk endpoints get wrapped in an iframe
- in theory this lets us not sanitize js or css
- kind of not real until shrubs have their own subdomain
- we should talk with ~palfun-foslup and ~tinnus-napbus about how viable this path is in the near term
How does Sky prevent nodes from falsifying their identity when making requests? What is our long-term strategy towards closing any loopholes in this?
Does Sky filter out all script tags and include enough built-in components for UI devs to get by? What is Sky's attitude towards using iframes for sandboxing?
Will Shrubbery eventually place all nodes at their own subdomains so that they can handle their own client-side authentication?