Disable third-party access to 0net server.

This previously enabled clearnet sites to detect if user is running 0net instance on their machine as well as to detect which 0net sites are downloaded. Check online at https://riza-committee.github.io/demos/0scan.html Intra-0net version of this is still available at http://127.0.0.1:43110/1ScanCY9fjmjanDt7NwvyNQCL16hqWnVM/
2023-07-25 18:59:09 +00:00 · 2023-07-25 18:59:09 +00:00 · 0811902ff6
commit 0811902ff6
parent a8c2117a55
1 changed files with 22 additions and 2 deletions
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@ -282,13 +282,17 @@ class UiRequest(object):

    # Send response headers
    def sendHeader(self, status=200, content_type="text/html", noscript=False, allow_ajax=False, script_nonce=None, extra_headers=[]):
+        ref = self.env.get("HTTP_REFERER")
+        url = self.getRequestUrl()
+        if status != 404 and ref and not self.isSameHost(ref, url):
+            # pretend nothing is here for third-party access
+            return self.error404()
+
        headers = {}
        headers["Version"] = "HTTP/1.1"
        headers["Connection"] = "Keep-Alive"
        headers["Keep-Alive"] = "max=25, timeout=30"
        headers["X-Frame-Options"] = "SAMEORIGIN"
-        if content_type != "text/html" and self.env.get("HTTP_REFERER") and self.isSameOrigin(self.getReferer(), self.getRequestUrl()):
-            headers["Access-Control-Allow-Origin"] = "*"  # Allow load font files from css

        if noscript:
            headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src *; font-src * data:; media-src *; style-src * 'unsafe-inline';"
@ -605,7 +609,23 @@ class UiRequest(object):
        self.server.add_nonces.append(add_nonce)
        return add_nonce

+    def isSameHost(self, url_a, url_b):
+        """Check if urls have the same HOST (to prevent leaking resources to clearnet sites)"""
+        if not url_a or not url_b:
+            return False
+
+        url_a = url_a.replace("/raw/", "/")
+        url_b = url_b.replace("/raw/", "/")
+
+        origin_pattern = "http[s]{0,1}://(.*?/).*"
+
+        origin_a = re.sub(origin_pattern, "\\1", url_a)
+        origin_b = re.sub(origin_pattern, "\\1", url_b)
+
+        return origin_a == origin_b
+
    def isSameOrigin(self, url_a, url_b):
+        """Check if 0net origin is the same"""
        if not url_a or not url_b:
            return False