You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, we allow users to set whatever IPFS gateway they want except gateway.ipfs.io. We should prevent all path-based gateways by implementing the fix suggested below.
To make this more bullet proof, you could add a quick validation, to ensure provided hostname is a real subdomain gateway, and refuse to save invalid ones.
Try fetching a small, well-known hash (for example: string hello is bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am) and see if returned value matches expectations:
Currently, we allow users to set whatever IPFS gateway they want except
gateway.ipfs.io. We should prevent all path-based gateways by implementing the fix suggested below.Original comment by @lidel:
To make this more bullet proof, you could add a quick validation, to ensure provided hostname is a real subdomain gateway, and refuse to save invalid ones.
Try fetching a small, well-known hash (for example: string
helloisbafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am) and see if returned value matches expectations:https://bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am.ipfs.dweb.link
https://bafkreicysg23kiwv34eg2d7qweipxwosdo2py4ldv42nbauguluen5v6am.ipfs.cf-ipfs.com
This would also protect you from users setting path-based gateways (which do not provide Origin-based isolation.)
The text was updated successfully, but these errors were encountered: