You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While doing #5 , I noticed a potential security issue.
In handleLogin() in client/src/components/App.js, the redirect to Fireroad is passed a redirect=<url> query parameter. This URL is set to be via HTTP instead of HTTPS if the user's URL includes localhost:5000. I could potentially see this being a security risk if someone sneaks this string into the URL and then captures the Fireroad auth token via a man in the middle attack.
Regardless, this behavior should be configured via a build flag instead of trying to guess whether it's being run in dev. Will make a stacked PR on top of #5 that does this.
The text was updated successfully, but these errors were encountered:
While doing #5 , I noticed a potential security issue.
In
handleLogin()inclient/src/components/App.js, the redirect to Fireroad is passed aredirect=<url>query parameter. This URL is set to be via HTTP instead of HTTPS if the user's URL includeslocalhost:5000. I could potentially see this being a security risk if someone sneaks this string into the URL and then captures the Fireroad auth token via a man in the middle attack.Regardless, this behavior should be configured via a build flag instead of trying to guess whether it's being run in dev. Will make a stacked PR on top of #5 that does this.
The text was updated successfully, but these errors were encountered: