From fc2ace5683d40cbb602df863ee3c4bf1185f27d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Standa=20Luke=C5=A1?= Date: Thu, 24 Oct 2024 23:04:10 +0200 Subject: [PATCH] Add info about pre-loading to the Sec-Fetch-Dest GET check We check that the page is not being loaded with JS, which should prevent attackers from scraping all other pages if they gain access to one. It seems that this check is incompatible with Chrome prefetching (and obviously also any JS-based prefetching). The issue seems to be that Chrome does not know how will the prefetched document be used. According to their documentation, it should ignore prefetch requests with non-2XX status code. Our rejections are 403, so it should not display them to the user. --- src/Framework/Framework/Hosting/DotvvmPresenter.cs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Framework/Framework/Hosting/DotvvmPresenter.cs b/src/Framework/Framework/Hosting/DotvvmPresenter.cs index dee997e54a..58df553bda 100644 --- a/src/Framework/Framework/Hosting/DotvvmPresenter.cs +++ b/src/Framework/Framework/Hosting/DotvvmPresenter.cs @@ -537,8 +537,11 @@ Cross site iframe are disabled in this application. if (context.RequestType is not DotvvmRequestType.SpaNavigate) await context.RejectRequest($""" Pages can not be loaded using Javascript for security reasons. + Try refreshing the page to get rid of the error. - If you are the developer, you can disable this check by setting DotvvmConfiguration.Security.VerifySecFetchForPages.ExcludeRoute("{route}"). [dest: {dest}, site: {site}] + + If you are the developer, you can disable this check by setting DotvvmConfiguration.Security.VerifySecFetchForPages.ExcludeRoute("{route}"). + Note that this security check is not compatible with page preloading, such as TurboLinks, Cloudflare Speed Brain, or similar. You'll need to disable one of these. The check is "only" a deference-in-depth measure against XSS and disabling it is perfectly safe in the absence of other vulnerabilities. """); if (site != "same-origin") await context.RejectRequest($"Cross site SPA requests are disabled.");