Skip to content

Commit

Permalink
Add info about pre-loading to the Sec-Fetch-Dest GET check
Browse files Browse the repository at this point in the history
We check that the page is not being loaded with
JS, which should prevent attackers from scraping
all other pages if they gain access to one.

It seems that this check is incompatible with Chrome
prefetching (and obviously also any JS-based prefetching).
The issue seems to be that Chrome does not know
how will the prefetched document be used.

According to their documentation, it should ignore
prefetch requests with non-2XX status code.
Our rejections are 403, so it should not display them
to the user.
  • Loading branch information
exyi authored and tomasherceg committed Nov 3, 2024
1 parent 7a2dfae commit cf5e573
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion src/Framework/Framework/Hosting/DotvvmPresenter.cs
Original file line number Diff line number Diff line change
Expand Up @@ -537,8 +537,11 @@ Cross site iframe are disabled in this application.
if (context.RequestType is not DotvvmRequestType.SpaNavigate)
await context.RejectRequest($"""
Pages can not be loaded using Javascript for security reasons.
Try refreshing the page to get rid of the error.
If you are the developer, you can disable this check by setting DotvvmConfiguration.Security.VerifySecFetchForPages.ExcludeRoute("{route}"). [dest: {dest}, site: {site}]
If you are the developer, you can disable this check by setting DotvvmConfiguration.Security.VerifySecFetchForPages.ExcludeRoute("{route}").
Note that this security check is not compatible with page preloading, such as TurboLinks, Cloudflare Speed Brain, or similar. You'll need to disable one of these. The check is "only" a deference-in-depth measure against XSS and disabling it is perfectly safe in the absence of other vulnerabilities.
""");
if (site != "same-origin")
await context.RejectRequest($"Cross site SPA requests are disabled.");
Expand Down

0 comments on commit cf5e573

Please sign in to comment.