This repository has been archived by the owner on Feb 26, 2020. It is now read-only.
Parity UI should not allow browsing to arbitrary websites #118
Labels
F1-security
The client fails to follow expected, security-sensitive, behaviour.
P7-nicetohave
Issue is worth doing eventually.
Z7-duplicate
Issue is a duplicate. Closer should comment with a link to the duplicate.
Inside Parity UI there are links to blogs and external resources. Any of these can have links to arbitrary websites. Having 3rd party websites load inside the UI presents the risk that a site could attempt a phishing attack simulating the wallet DApp, or make a signing request.
The web browser inside Parity UI should be restricted to a very limited whitelist of domains. All other pages should open in your default browser.
The text was updated successfully, but these errors were encountered: