Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipfs-companion clears local storage when using local gateway #977

Closed
xuhcc opened this issue Jan 29, 2021 · 3 comments
Closed

ipfs-companion clears local storage when using local gateway #977

xuhcc opened this issue Jan 29, 2021 · 3 comments
Assignees
@lidel
Labels
area/firefox Issues related to Mozilla Firefox effort/hours Estimated to take one or several hours exp/intermediate Prior experience is likely helpful P0 Critical: Tackled by core team ASAP status/blocked/upstream-bug Blocked by upstream bugs status/in-progress In progress topic/security Work related to security

Comments

@xuhcc
Copy link

xuhcc commented Jan 29, 2021

Describe the bug

If I configure ipfs-companion to use local subdomain gateway it somehow clears local storage every time the page is loaded via gateway, and not only at ipfs.localhost origin, but on all localhost origins. This does not happen when I use remote path-based gateway.

To Reproduce
Steps to reproduce the behavior:

  1. Open local page (e.g. http://localhost:1234) and add something to local storage.
  2. Open new tab and load something via local IPFS gateway, for example http://blog.ipfs.io.ipns.localhost:8001/
  3. Local storage at http://blog.ipfs.io.ipns.localhost:8001/ is cleared
  4. Local storage at http://localhost:1234 also cleared

Expected behavior

Local storage must not be cleared anywhere.

Desktop:

  • OS: Linux
  • Browser: Firefox 84
  • IPFS companion: 2.17.3
@xuhcc xuhcc added the need/triage Needs initial labeling and prioritization label Jan 29, 2021
@lidel lidel added area/firefox Issues related to Mozilla Firefox exp/intermediate Prior experience is likely helpful effort/hours Estimated to take one or several hours P0 Critical: Tackled by core team ASAP status/blocked/upstream-bug Blocked by upstream bugs status/in-progress In progress topic/security Work related to security labels Jan 29, 2021
@lidel lidel self-assigned this Jan 29, 2021
@lidel
Copy link
Member

lidel commented Jan 29, 2021
edited
Loading

Thank you for reporting this @xuhcc, nice catch!

I suspect this might be because we use path-based router which then returns a redirect to the proper subdomain.
It is the same as redirect as when opening https://dweb.link/ipns/en.wikipedia-on-ipfs.org and ending up at https://en-wikipedia--on--ipfs-org.ipns.dweb.link

The caveat is that the redirect is returned with Clear-Site-Data: "cookies", "storage" HTTP header which was added to go-ipfs as precaution in early days of subdomain gateways. This header should be ignored by browsers on redirects, but it seems that Firefox acts on it (I confirmed that Brave does not clear cookies).

I believe we should remove Clear-Site-Data from redirect responses:

  • subdomain gateways ended up being self-contained. Once a gateway domain is defined in config, it is impossible to load websites from paths, we always return either a redirect or an error
  • Clear-Site-Data support across vendors is buggy and that is not just Firefox: Chromium been ignoring related bug for three years: https://bugs.chromium.org/p/chromium/issues/detail?id=898503)

Will prepare upstream fix shortly and will try to include it in go-ipfs 0.8.0.
Until that happens, a workaround is to use Brave.

@lidel lidel mentioned this issue Jan 29, 2021
Merged
@lidel lidel removed the need/triage Needs initial labeling and prioritization label Jan 29, 2021
@xuhcc
Copy link
Author

xuhcc commented Mar 28, 2021

@lidel Has the fix been included in go-ipfs 0.8.0?

@lidel
Copy link
Member

lidel commented Mar 30, 2021

@xuhcc no, it is scheduled for 0.9.0: ipfs/kubo#7890

hacdias pushed a commit to ipfs/boxo that referenced this issue Jan 27, 2023
@lidel
fix: remove use of Clear-Site-Data
cd00521 
We used Clear-Site-Data to cushion transition period for local gateway
exposed at http://localhost while we were still figuring out
security-related details.

In the final implementation subdomain gateways are not tied to a
hostname explicitly, which removes the risk of cookies leaking,
removing the need for the header.

Turns out it causes issues for Firefox users, so let's just remove it.

Closes ipfs/ipfs-companion#977


This commit was moved from ipfs/kubo@d61ae2b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lidel lidel

Labels
area/firefox Issues related to Mozilla Firefox effort/hours Estimated to take one or several hours exp/intermediate Prior experience is likely helpful P0 Critical: Tackled by core team ASAP status/blocked/upstream-bug Blocked by upstream bugs status/in-progress In progress topic/security Work related to security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lidel @xuhcc