This repository has been archived by the owner on Feb 26, 2020. It is now read-only.
Parity UI should not allow browsing to arbitrary websites #118
Assignees
Labels
F1-security
The client fails to follow expected, security-sensitive, behaviour.
P7-nicetohave
Issue is worth doing eventually.
Z7-duplicate
Issue is a duplicate. Closer should comment with a link to the duplicate.
Comments
|
Agreed. Related to #111. |
Tbaut
added
F1-security
|
Close for duplication |
|
I think this issue is specific to the links in the news displayed in the wallet dapp. I'll fix this for dapp-wallet. |
|
@axelchalon How about if a 3rd-party network dapp decides to put Probably something needs to be done on the Electron side too. |
axelchalon
added
the
A3-inprogress
axelchalon
removed
the
A3-inprogress
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Inside Parity UI there are links to blogs and external resources. Any of these can have links to arbitrary websites. Having 3rd party websites load inside the UI presents the risk that a site could attempt a phishing attack simulating the wallet DApp, or make a signing request.
The web browser inside Parity UI should be restricted to a very limited whitelist of domains. All other pages should open in your default browser.
The text was updated successfully, but these errors were encountered: