perf(ui/sidebar): prevent potential token leakage by clearing query i…

…n iframe url The previous referrer policy was already set to `strict-origin`, but to further enhance security, this modification was made.
ArtalkJS · Jan 30, 2024 · 0e0b53f · 0e0b53f
1 parent dba5ba5
commit 0e0b53f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/server/handler/setting_apply.go b/server/handler/setting_apply.go
@@ -60,7 +60,7 @@ func SettingApply(app *core.App, router fiber.Router) {
 			return common.RespError(c, 500, i18n.T("Restart failed: {{err}}", map[string]interface{}{"err": err.Error()}))
 		}
 
-		log.Info(i18n.T("Services restart complete"))
+		log.Info("[Apply Settings] " + i18n.T("Services restart complete"))
 
 		return common.RespSuccess(c)
 	}))

diff --git a/ui/artalk-sidebar/src/global.ts b/ui/artalk-sidebar/src/global.ts
@@ -17,6 +17,13 @@ export const bootParams = getBootParams()
 function getBootParams() {
   const p = new URLSearchParams(document.location.search)
 
+  // call history api to clear search params
+  // on purpose to prevent the params (e.g. user token)
+  // from being leaked like from the referrer header or the browser history
+  if (!!p.get('user') && window.history.replaceState) {
+    window.history.replaceState({}, '', window.location.pathname)
+  }
+
   return {
     pageKey:    p.get('pageKey') || '',
     site:       p.get('site') || '',