-
Notifications
You must be signed in to change notification settings - Fork 554
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DartPad hijacking #2994
Comments
I don't quite follow this, how does one took advantage of this? It looks like a harmless little fun thing for someone to edit the source code in their own client side via JavaScript. |
The issue is that its not |
Well, yeah, someone could make this happen when they write a blog that links to But:
|
Popups are allowed by default in most browsers after user activation such as a click. (Avoids a website being able to spam the user with popups) In its self maybe harmless hence public issue however its a spoofing risk if the user trusts content on docs.flutter.dev with an API key |
I think the solution here would be to restrict what code can be injected into the execution iframe, not the DartPad embedded iframe. |
What happened?
Attacker code is injected on to the
docs.flutter.dev
dart-pad embed.Steps to reproduce problem
Additional info
I did think about making a PR in #2993 but made a mess instead.
Think the fix is to
Only allow DartPad injection from window.parent
for both code and error logs.The text was updated successfully, but these errors were encountered: