Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

respond-proxy.html has XSS issue #359

Open
zmmbreeze opened this issue Apr 26, 2016 · 5 comments
Open

respond-proxy.html has XSS issue #359

zmmbreeze opened this issue Apr 26, 2016 · 5 comments

Comments

@zmmbreeze
Copy link

For example: http://yourcdn.com/respond-proxy.html?url=javascript:alert(19890611520);&css=http://yourcdn.com/test.css

Code: https://github.com/scottjehl/Respond/blob/master/cross-domain/respond-proxy.html#L90
@matthijsmelissen
Copy link

Confirmed.

@ljharb
Copy link

ljharb commented Jun 23, 2016

@scottjehl any update on this?

@scottjehl
Copy link
Owner

So, deprecating the cross-domain proxy is definitely the first thing I'd like to do. A server proxy, while annoying, is likely the better way to handle this situation. I hope you agree.

The proxy has been deprecated in the readme since October, so I think a new point release should remove it.

@lecajer
Copy link

lecajer commented Apr 17, 2018

I added the following in respond-proxy.html#L87 in order to have a minimal protection.

// XSS protection
if(domain.toLowerCase().indexOf('javascript') !== -1) {
    domain = null;
}

Not sure if it is possible to pass through.

@matthijsmelissen
Copy link

matthijsmelissen commented Apr 17, 2018
edited

Can we not do whitelisting, i.e. only accept URLs starting with http:// and https://?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ljharb @scottjehl @zmmbreeze @lecajer @matthijsmelissen