[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
LibreJS seems to ignore query strings
|
From: |
Jacob K |
|
Subject: |
LibreJS seems to ignore query strings |
|
Date: |
Tue, 8 Nov 2022 17:07:18 -0600 |
Hello,
I noticed a problem with the way LibreJS displays some script links.
LibreJS does not include the query string (the part after the '?') when
presenting links, which means the script you click on in LibreJS could
be different from the script that actually would be executed. For
example, on this page for sample ballots [1], you will see a script at
[2] listed in LibreJS, but when you click on that link, you will get a
404 error page. If you view the HTML source of the page [3] and ctrl+F
for "WebResource", you will see that there is a corresponding script tag
that should include
"?d=MNJoMkNhH6PXyoAVyephgc5zG0Kl3XENDyBeYod5KBRwslKU_pr2SCPr4zAZ53jiLf6hyOkI2Z1aLd0nedPpQ5sN6ILFmouLh4mOzmCwTIU1&t=637814437746327080"
after the part of the URL that LibreJS shows.
I looked for previous discussion about this, but I could not find any.
It seems that LibreJS should show the query string also, but I suppose
there could be a link that updates with every refresh, despite pointing
to the same script text, so I'm not sure what the best way to handle
this is.
When the URL without the query string is a 404 or an empty script, this
problem is mostly a matter of convenience, but I imagine there could be
a problem where, if LibreJS is ignoring query strings completely (and
I'm not sure that it is), then a page could serve a free non-malicious
script when there is no query string, but serve a nonfree or malicious
script when there is a particular query string. There are surely other
ways for webpages to trick people into running malware [4], so maybe
this is not such a big deal.
Ideally, I think LibreJS should store checksums of scripts, but it seems
like it only does this for inline scripts currently?
[1]
https://www.collincountytx.gov/elections/election_information/Pages/sampleballots.aspx
[2] https://www.collincountytx.gov/WebResource.axd
[3] (e.g. using
view-source:https://www.collincountytx.gov/elections/election_information/Pages/sampleballots.aspx
in Abrowser/Firefox )
[4] (e.g. simply sending a malicious script in 1/100 cases; most people
would see the non-malicious script first, but most people who used the
site often would run the non-malicious script eventually)
OpenPGP_0x8EF548378E806320.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
- LibreJS seems to ignore query strings,
Jacob K <=