Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cross site spoofing with localStorage between 2 repos #55

Open
bulk88 opened this issue Aug 2, 2020 · 4 comments
Open

cross site spoofing with localStorage between 2 repos #55

bulk88 opened this issue Aug 2, 2020 · 4 comments

Comments

@bulk88
Copy link

bulk88 commented Aug 2, 2020
edited
Loading

If a Github Pages repo, is accessed through githack, in many cases a website will render and operate as intended locating all resources through githack instead of Github/Fastly, the user must visually ignore the address bar, but localStorage, ummm, origin will be "rawcdn.githack.com" and localStorage contents can easily be fetched later with a malicious github pages repo to the sensitive github pages repo running on wrong origin. Not sure if there is a real bug since github pages shouldn't have a concept of "logging in", but some GH pages sites do "login" with localStorage. Feel free to close if there is no quick fix.

I've used githack as a quick and dirty different "origin" for a GH Pages site when a CORS API WAF got tired of my no API key anonymous usage and punishes my Origin: header by omitting "Access-Control-Allow-Credentials: true" in response for some minutes to my Origin: header and I burned through the official domain and "http://localhost" already. file:// doesn't work as that makes a browser send "Origin: null" for XHR CORS.
@binary-person
Copy link

You shouldn't use githack cdn as a website. You should only use it to serve assets. Examples are js, css, img files, not html files

@neoascetic
Copy link
Owner

Well, you could use it for static websites — why not?

@binary-person
Copy link

why not?

I guess you can, but you need to be careful. Let's say there are site A and site B. Site A uses localStorage to store some info. Site B is malicious. Site B can easily get Site A's localStorage and bypass all cross-site related protections because they serve under the same domain

A remedy for this would be to instead, use github.io's system and serve a user under a subdomain instead, but that's likely not going to happen.

@Efreak
Copy link

Efreak commented Jun 23, 2022
edited
Loading

You might be able to implement this by using subdomains instead of paths for user, service: bulk88.github.githackcdn/repo/commitish/path/file (or even put the repo in a subdomain as well). Then submit your cdn to the public suffix list and you should be good.

Edit: cloudflare now allows free users to use wildcards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neoascetic @Efreak @bulk88 @binary-person