Speaking of securing the filesystem and following up on Dominique's
message from a few days ago, do we want to implement the restriction that
XHR is only allowed to load pages from the domain that you are currently on?
If so, is this a workable phrasing to make the test? Assuming an xhr
object which I am referencing as 'this', this.url is a string. So I turn
it into our URL class in order to easily grab and test the host.
if (new URL(this.url).host == window.location.host)
{
allow fetchHTTP to run
} else {
prevent fetchHTTP from running
set this.aborted = true
throw a new error with a message
}
Here's a startwindow that makes this change if we want to do this.
http://carhart.net/~kevin/startwindow_20180311.zip
Tested on the dummy page http://carhart.net/~kevin/badxhr.html
Without the change, xhr.responseText gets the contents of http://pizza.com
With the change, it refuses to load http://pizza.com from carhart.net
_______________________________________________
Edbrowse-dev mailing list
[email protected]
http://lists.the-brannons.com/mailman/listinfo/edbrowse-dev
