View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0007798 | Taler | wallet (WebExtension) | public | 2023-04-10 17:21 | 2023-04-11 18:40 |
Reporter | sebasjm | Assigned To | sebasjm | ||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | closed | Resolution | won't fix | ||
Product Version | 0.9.3 | ||||
Target Version | 0.9.3 | Fixed in Version | 0.9.3 | ||
Summary | 0007798: wallet UI should warn before redirect | ||||
Description | The issue is taking by the comments of @grote in 0007473 Places where wallet UI redirect the user outside the wallet: * withdrawal process to bank account (captcha confirmation) * after purchase to merchant site (fulfillment url) (not an exhaustive list) In the case that the redirection URL comes from $DOMAIN if the redirectionUrl.hostname == $DOMAIN then destination is trusted if the redirectionUrl.hostname is in a list of trusted domains by the user, then is trusted if domain is not trusted, * tell the user that is going to be redirected to URL * show a checkbox "I trusted this location, don't warn me again" relevant: https://owasp-aasvs.readthedocs.io/en/latest/requirement-16.1.html https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html | ||||
Tags | No tags attached. | ||||
|
Adding Marc and Florian for comments |
|
Opening a URL in a browser should always be 'safe'. The wallet won't export dangerous secrets (say via URL parameters), and we're not in a walled garden where we try to keep users inside either. So there is no good reason for this, teaching users to click away warnings is not a good practice, and it is also bad for UX. We will not do this. |
Date Modified | Username | Field | Change |
---|---|---|---|
2023-04-10 17:21 | sebasjm | New Issue | |
2023-04-10 17:21 | sebasjm | Status | new => assigned |
2023-04-10 17:21 | sebasjm | Assigned To | => sebasjm |
2023-04-10 17:23 | sebasjm | Note Added: 0020056 | |
2023-04-11 18:40 | Christian Grothoff | Note Added: 0020074 | |
2023-04-11 18:40 | Christian Grothoff | Severity | minor => feature |
2023-04-11 18:40 | Christian Grothoff | Reproducibility | always => N/A |
2023-04-11 18:40 | Christian Grothoff | Status | assigned => closed |
2023-04-11 18:40 | Christian Grothoff | Resolution | open => won't fix |
2023-04-11 18:40 | Christian Grothoff | Fixed in Version | => 0.9.3 |
2023-04-13 20:37 | Florian Dold | Category | wallet (WebExtensions) => wallet (WebExtension) |