![]() ![]() However, if the target=_top is not really needed, we can consider that as a bug in the scrappers and they should remove it. It would be to the viewer itself to dynamically patch (or intercept) links with target=_top and replace them with target=framename. Allowing target=_top link breaks the (viewer) ui, but at least the website is usable.Īnd this is difficulty patchable as other player than kiwix-serve/ kiwix-js don't use iframe and so target=_top is totally valid. On iframe may display a menu with links changing the top iframe content. There is a balance between adding a new security level and not inferring in the website content (in chrome browser)īlocking any link with target=_top (with sandboxed iframe) may not be a good idea neither.Ī website may be internally composed of several iframes. This is not the behaviour the creator of the ZIM may have intended, so there is a balance to be struck between security and respect for the intentions of the ZIM creator / trusted web resource. It may change, but if it became a purpose, the solution is probably more in service worker (to control all connection going out of the displayed website) than in iframe. You can use the "no viewier/iframe" with the /content/zim_name/path/to/article to see that website can phone home all the time.īlocking this requests was never a goal of kiwix-serve. There is no more user data leak than before. However, we have exchange the website css breaking the css of the app controls against links with target=_top breaking the app controls. The change to iframe is not the source of the leak. The iframe is the occasion to add some kind of protection against accidentally "falsely offline" website when it was impossible to do before. And as we were inserting the top bar in the content of the page, it was even simpler for the website to break out the app's controls. ![]() "falsely offline" websites were obviously able to phone home. This is how web works and except by blocking all connections to server, it can always append.īefore iframe, kiwix-serve was simply displaying the content in the top frame. The vulnerability is that we display a "falsely offline" version of website which can still phone home and leak user data to remote servers. There is a vulnerability in Kiwix Serve and Kiwix JS related to the use of iframes to display articles: scripts in these articles can accidentally (or on purpose) navigate to remote sites and leak user data to remote servers, or they can break out of the iframe and destroy the app's controls
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |