Signal Desktop just pushed out a fix for a remote XSS vuln: https://github.com/signalapp/Signal-Desktop/commit/bfbd84f5d1308cdfcb08a1727821f7103be151ea … demo:https://twitter.com/ortegaalfredo/status/995017143002509313 …
-
0:07Show this thread -
Replying to @bcrypt
manual sanitization makes me cry. *finally uninstalls Signal Desktop*
2 replies 0 retweets 3 likes -
Replying to @spudowiar @bcrypt
Does Electron support using Content-Security-Policy with script-src 'self' and no 'unsafe-eval' or 'unsafe-inline'? CSP isn't perfect but it's a good mitigation and it should be trivial to use a good policy for apps like this.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @spudowiar
in this case, the HTML is served from file:// IIRC so the header won't work but the <meta> element would.https://github.com/electron/electron/blob/master/docs/tutorial/security.md …
1 reply 0 retweets 3 likes -
Replying to @bcrypt @spudowiar
Yeah, we use it that way in an Android WebView, which is a similar concept: https://github.com/CopperheadOS/platform_packages_apps_PdfViewer/blob/1ebb3cb8613fff19b0db9688d147531d448fc4a2/app/src/main/assets/viewer.html#L4 ….
1 reply 0 retweets 3 likes -
Likely that we could set a real CSP header by making a placeholder request and intercepting the request though. Used that approach to feed PDFs into the WebView despite disabling content and file access for the WebView (file:///android_asset/ and file:///android_res/ still work).
1 reply 0 retweets 1 like -
Electron seems very similar to how the Android WebView works, but it has the advantage of being an auto-updated platform component and always using the renderer sandbox rather than apps being responsible for it. The app can trivially give it direct file and content access though.
1 reply 0 retweets 0 likes
Apparently now OS's need automatic patching of Electron apps to removed the bundled insecure Chrome & run the app with the installed, up-to-date system one instead.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.