STRLCPY/link-lock

Fix vulnerability in Chrome

In Chrome, once a user is successfully redirected, the icon of a bookmarked
link would change to be the icon of the destination page. This means that
bookmarked links would not be completely locked, and information would leak.
Changing `window.location.replace` in the code to instead be
`window.location.href` simulates a user clicking rather than a real HTTP
request and thus prevents Chrome from changing the icon, and eliminates this
leakage of information.

Jacob Strieb committed 4 years ago

1b81770a

1 parent 9aca7db9

Total 1 files

■ ■ ■ ■ ■ ■

index.html

		skipped 86 lines
87	87		try {
88	88		// Extra check to make sure the URL is valid. Probably shouldn't fail.
89	89		new URL(url);
90		-	window.location.replace(url);
	90	+	// IMPORTANT NOTE: must use window.location.href instead of the (in
	91	+	// my opinion more proper) window.location.replace. If you use
	92	+	// replace, it causes Chrome to change the icon of a bookmarked link
	93	+	// to update it to the unlocked destination.
	94	+	window.location.href = url;
91	95		} catch {
92	96		error("A corrupted URL was encrypted. Cannot redirect.");
93	97		console.log(url);
		skipped 31 lines