diff options
| author | Samuel Mannehed <samuel@cendio.se> | 2021-09-01 16:00:19 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-09-01 16:00:19 +0200 |
| commit | fcb95821b76e105ed4a7ce4c2c19549c8dbbeb44 (patch) | |
| tree | 62447642bfa95629ff9ee1a05c9136afe4dfcbbe | |
| parent | 0a8ced2cfeadd4dc58cb573010f9993834694b38 (diff) | |
| parent | f796b05e42cfac7044cca9603e59f258605228f3 (diff) | |
| download | novnc-fcb95821b76e105ed4a7ce4c2c19549c8dbbeb44.tar.gz | |
Merge pull request #1573 from yatru/security-privacy-url-patch
Security privacy to url parameters
| -rw-r--r-- | app/webutil.js | 11 | ||||
| -rw-r--r-- | vnc_lite.html | 11 |
2 files changed, 19 insertions, 3 deletions
diff --git a/app/webutil.js b/app/webutil.js index a9fee32..ef23fcb 100644 --- a/app/webutil.js +++ b/app/webutil.js @@ -20,10 +20,19 @@ export function initLogging(level) { } // Read a query string variable +// A URL with a query parameter can look like this (But will most probably get logged on the http server): +// https://www.example.com?myqueryparam=myvalue +// +// For privacy (Using a hastag #, the parameters will not be sent to the server) +// the url can be requested in the following way: +// https://www.example.com#myqueryparam=myvalue&password=secreatvalue +// +// Even Mixing public and non public parameters will work: +// https://www.example.com?nonsecretparam=example.com#password=secreatvalue export function getQueryVar(name, defVal) { "use strict"; const re = new RegExp('.*[?&]' + name + '=([^&#]*)'), - match = document.location.href.match(re); + match = ''.concat(document.location.href, " ", window.location.hash).match(re); if (typeof defVal === 'undefined') { defVal = null; } if (match) { diff --git a/vnc_lite.html b/vnc_lite.html index 36b062b..1f6e030 100644 --- a/vnc_lite.html +++ b/vnc_lite.html @@ -109,13 +109,20 @@ // query string. If the variable isn't defined in the URL // it returns the default value instead. function readQueryVariable(name, defaultValue) { - // A URL with a query parameter can look like this: + // A URL with a query parameter can look like this (But will most probably get logged on the http server): // https://www.example.com?myqueryparam=myvalue // + // For privacy (Using a hastag #, the parameters will not be sent to the server) + // the url can be requested in the following way: + // https://www.example.com#myqueryparam=myvalue&password=secreatvalue + // + // Even Mixing public and non public parameters will work: + // https://www.example.com?nonsecretparam=example.com#password=secreatvalue + // // Note that we use location.href instead of location.search // because Firefox < 53 has a bug w.r.t location.search const re = new RegExp('.*[?&]' + name + '=([^&#]*)'), - match = document.location.href.match(re); + match = ''.concat(document.location.href, " ", window.location.hash).match(re); if (match) { // We have to decode the URL since want the cleartext value |