search

walmat / nebula-old

Deployment download link will be hosted here:
http://nebula-deployment.herokuapp.com
3 stars 0 forks source link

Security Checklist #61

Closed walmat closed 5 years ago

walmat commented 6 years ago

If you've been developing and noticing a few security warning in the console, that's because there are a few current flaws in Nebula's shell.

I think when everything is squared away, or maybe before– idk, we should run through these steps to ensure total security when a user runs our application.

walmat commented 6 years ago

Here's the checklist

  1. Only load secure content
  2. ~Disable NodeJS Integration (remote)~
  3. Enable Context Isolation (remote)
  4. Handle Session Permissions (remote)
  5. Enable WebSecurity (main)
  6. Define CSP (Content Secure Policy)
  7. Override/Disable eval()
  8. Disable AllowRunningInsecureContent
  9. Disable Experimental Features
  10. Disable EnableBlinkFeatures
  11. Disable AllowPopups
  12. Verify WebContents Before Creation
  13. Disable/Limit Navigation
  14. Disable/Limit Creating New Windows
pr1sm commented 5 years ago

I'm looking over the changes in issue_61 and there have been a lot of updates since we've last worked on this branch. I think we should start fresh since that branch is pretty stale.

walmat commented 5 years ago

I agree

walmat commented 5 years ago

Think about a strategy to prevent application like Charles/MitMProxy/etc. from logging out our requests.

pr1sm commented 5 years ago

Looks like 3. (Enable Context Isolation) isn't possible for us at the moment. The description for enabling it is misleading because while the preload script does have read access to the window from the browser, it cannot write anything. This means that we can't attach our window.Bridge API to the browser. Instead it gets set within the preload scripts context, while the browser's window.Bridge remains undefined.

I'm not sure if there is a good way around this, we might have to think about different methods of enabling IPC communication in the future if we do want to enable context isolation.

walmat commented 5 years ago

Looks like 3. (Enable Context Isolation) isn't possible for us at the moment. The description for enabling it is misleading because while the preload script does have read access to the window from the browser, it cannot write anything. This means that we can't attach our window.Bridge API to the browser. Instead it gets set within the preload scripts context, while the browser's window.Bridge remains undefined. ...

@pr1sm okay honestly that’s fine. I don’t know how important context isolation is in our case

Sent with GitHawk