Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit857587b

Browse files
fix: do not share token with http app urls (#17720)
It's a security issue to share the API token, and the protocols that weactually want to share it with are not HTTP and handled locally on thesame machine. Security issue introduced by#17708
1 parent4341403 commit857587b

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

‎site/src/modules/resources/AppLink/AppLink.tsx

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,11 @@ export const AppLink: FC<AppLinkProps> = ({ app, workspace, agent }) => {
106106

107107
event.preventDefault();
108108

109-
if(app.external){
109+
// HTTP links should never need the session token, since Cookies
110+
// handle sharing it when you access the Coder Dashboard. We should
111+
// never be forwarding the bare session token to other domains!
112+
constisHttp=app.url?.startsWith("http");
113+
if(app.external&&!isHttp){
110114
// This is a magic undocumented string that is replaced
111115
// with a brand-new session token from the backend.
112116
// This only exists for external URLs, and should only

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp