Backend accepts messages posted from origins besides localhost.

[KodyJKing]

Description

On the WebView2 frontend, if a Wails app navigates to an external site, that site can call any exposed backend APIs. This seems like a social engineering risk if an attacker finds any sneaky way to get a user to navigate away from localhost.

To Reproduce

1. Create a Wails app.
2. Link to this page https://kodyjking.github.io/wails-xss/ (source: https://github.com/KodyJKing/wails-xss/blob/main/index.html)
3. Follow the link from your wails app.

Expected behaviour

The backend ignores messages posted from this origin.

Screenshots

No response

Attempted Fixes

No response

System Details

# Wails
Version | v2.6.0

# System
┌────────────────────────────────────┐
| OS           | Windows 10 Home     |
| Version      | 2009 (Build: 19045) |
| ID           | 22H2                |
| Go Version   | go1.21.3            |
| Platform     | windows             |
| Architecture | amd64               |
└────────────────────────────────────┘

# Dependencies
┌───────────────────────────────────────────────────────┐
| Dependency | Package Name | Status    | Version       |
| WebView2   | N/A          | Installed | 120.0.2210.91 |
| Nodejs     | N/A          | Installed | 20.9.0        |
| npm        | N/A          | Installed | 10.1.0        |
| *upx       | N/A          | Available |               |
| *nsis      | N/A          | Available |               |
└─────────────── * - Optional Dependency ───────────────┘

Additional context

No response

[leaanthony]

Certainly something we will look at though we don't really recommend navigating to untrusted sites in your desktop apps!

[KodyJKing]

Makes sense. My app should stay on localhost, but I'm anxious about my attack surface including any library that can affect navigation.

[leaanthony]

Yeah for sure, but there would need to be quite a lot of knowledge on the internal calls to construct something that didn't error. We will of course look at ways to mitigate this.