Speaking of securing the filesystem and following up on Dominique's message from a few days ago, do we want to implement the restriction that XHR is only allowed to load pages from the domain that you are currently on? If so, is this a workable phrasing to make the test? Assuming an xhr object which I am referencing as 'this', this.url is a string. So I turn it into our URL class in order to easily grab and test the host.


if (new URL(this.url).host == window.location.host)
{
allow fetchHTTP to run
} else {
prevent fetchHTTP from running
set this.aborted = true
throw a new error with a message
}

Here's a startwindow that makes this change if we want to do this.
http://carhart.net/~kevin/startwindow_20180311.zip

Tested on the dummy page http://carhart.net/~kevin/badxhr.html

Without the change, xhr.responseText gets the contents of http://pizza.com
With the change, it refuses to load http://pizza.com from carhart.net








_______________________________________________
Edbrowse-dev mailing list
Edbrowse-dev@lists.the-brannons.com
http://lists.the-brannons.com/mailman/listinfo/edbrowse-dev

Reply via email to