Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Address cross-origin and attachments security issues (#4)
* Drop globally allowed CORS This is a major security issue, as it allows any website visited on the same machine to query the API when the server is running. * Serve attachments and raw emails as downloads Otherwise, a text/html attachment will be served as an HTML page able to execute JS and exfiltrate emails. * Protect contents from cross-origin attacks Using Spectre, other websites can extract the contents of certain responses even if the CORS policy doesn't allow it. Use Cross-Origin Resource Policy (CORP) to globally opt into Cross-Origin Read Blocking (CORB), which blocks the contents from being delivered to other origins at all. By default, CORB only protects HTML and JSON, under the expectation that other content types are gated by credentials or CSRF tokens, but that's not the case here (and I can't edit the JS to make it pass tokens). An alternative could have been to check the Origin header, but it looks like it's not even clear if it's supposed to be sent with cross-origin GET fetches. While at it, also throw in the new fancy Cross Origin Opener Policy (COOP) to isolate the document from other origins that might open it in a new window. I think Cross Origin Embedder Policy (COEP) is not relevant to us because it's embedder (attacker) side. This really should be easier than this, but also CPUs should work. * Minor security hardening fixes
- Loading branch information