Skip to content
This repository has been archived by the owner on Apr 8, 2021. It is now read-only.

Generated HTML graph loads unauthenticated scripts over plain HTTP #116

Open
v6ak opened this issue Jan 12, 2017 · 2 comments
Open

Generated HTML graph loads unauthenticated scripts over plain HTTP #116

v6ak opened this issue Jan 12, 2017 · 2 comments
Labels
Bug community

Comments

@v6ak
Copy link

v6ak commented Jan 12, 2017

As a result, a network attacker can modify the scripts in order to:

  • obtain full path on local computer
  • load details about the projects

How to fix it:

a. Use subresource integrity (limited browser compatibility)
b. Use HTTPS
c. Use both
@jrudolph
Copy link
Member

jrudolph commented Jan 12, 2017
edited
Loading

Thanks, good point, @v6ak. Couldn't we just include all of the scripts and serve them from the file system?

@v6ak
Copy link
Author

v6ak commented Jan 12, 2017

Yes, this is also an option. I wanted to be conservative :)

@jrudolph jrudolph added the Bug label Feb 17, 2017
@jrudolph jrudolph mentioned this issue Aug 3, 2018
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Bug community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrudolph @v6ak