Disable third-party access to 0net server.

This previously enabled clearnet sites to detect if user is running 0net instance
on their machine as well as to detect which 0net sites are downloaded.

Check online at https://riza-committee.github.io/demos/0scan.html

Intra-0net version of this is still available at
http://127.0.0.1:43110/1ScanCY9fjmjanDt7NwvyNQCL16hqWnVM/
This commit is contained in:
caryoscelus 2023-07-25 18:59:09 +00:00
parent a8c2117a55
commit 0811902ff6

View file

@ -282,13 +282,17 @@ class UiRequest(object):
# Send response headers
def sendHeader(self, status=200, content_type="text/html", noscript=False, allow_ajax=False, script_nonce=None, extra_headers=[]):
ref = self.env.get("HTTP_REFERER")
url = self.getRequestUrl()
if status != 404 and ref and not self.isSameHost(ref, url):
# pretend nothing is here for third-party access
return self.error404()
headers = {}
headers["Version"] = "HTTP/1.1"
headers["Connection"] = "Keep-Alive"
headers["Keep-Alive"] = "max=25, timeout=30"
headers["X-Frame-Options"] = "SAMEORIGIN"
if content_type != "text/html" and self.env.get("HTTP_REFERER") and self.isSameOrigin(self.getReferer(), self.getRequestUrl()):
headers["Access-Control-Allow-Origin"] = "*" # Allow load font files from css
if noscript:
headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src *; font-src * data:; media-src *; style-src * 'unsafe-inline';"
@ -605,7 +609,23 @@ class UiRequest(object):
self.server.add_nonces.append(add_nonce)
return add_nonce
def isSameHost(self, url_a, url_b):
"""Check if urls have the same HOST (to prevent leaking resources to clearnet sites)"""
if not url_a or not url_b:
return False
url_a = url_a.replace("/raw/", "/")
url_b = url_b.replace("/raw/", "/")
origin_pattern = "http[s]{0,1}://(.*?/).*"
origin_a = re.sub(origin_pattern, "\\1", url_a)
origin_b = re.sub(origin_pattern, "\\1", url_b)
return origin_a == origin_b
def isSameOrigin(self, url_a, url_b):
"""Check if 0net origin is the same"""
if not url_a or not url_b:
return False