Improve security of set_base_redirect

.env.example

@@ -1,4 +1,5 @@
 BRANDING_NAME = "FixTweet"
+STANDARD_DOMAIN_LIST = "fxtwitter.com,fixupx.com,twittpr.com"
 DIRECT_MEDIA_DOMAINS = "d.fxtwitter.com,dl.fxtwitter.com,d.pxtwitter.com,d.twittpr.com,dl.pxtwitter.com,dl.twittpr.com,d.fixupx.com,d.xfixup.com,dl.fixupx.com,dl.xfixup.com"
 TEXT_ONLY_DOMAINS = "t.fxtwitter.com,t.twittpr.com,t.fixupx.com,t.xfixup.com"
 INSTANT_VIEW_DOMAINS = "i.fxtwitter.com,i.twittpr.com,i.fixupx.com,i.xfixup.com"

jestconfig.json

@@ -7,6 +7,7 @@
     "BRANDING_NAME": "FixTweet",
     "TEXT_ONLY_DOMAINS": "t.fxtwitter.com,t.twittpr.com",
     "INSTANT_VIEW_DOMAINS": "i.fxtwitter.com,i.twittpr.com",
+    "STANDARD_DOMAIN_LIST": "fxtwitter.com,fixupx.com,twittpr.com",
     "DIRECT_MEDIA_DOMAINS": "d.fxtwitter.com,dl.fxtwitter.com",
     "MOSAIC_DOMAIN_LIST": "mosaic.fxtwitter.com",
     "DEPRECATED_DOMAIN_LIST": "pxtwitter.com,www.pxtwitter.com",

src/constants.ts

@@ -1,6 +1,7 @@
 export const Constants = {
   /* These constants are populated by variables in .env, then set by Webpack */
   BRANDING_NAME: BRANDING_NAME,
+  STANDARD_DOMAIN_LIST: STANDARD_DOMAIN_LIST.split(','),
   DIRECT_MEDIA_DOMAINS: DIRECT_MEDIA_DOMAINS.split(','),
   TEXT_ONLY_DOMAINS: TEXT_ONLY_DOMAINS.split(','),
   INSTANT_VIEW_DOMAINS: INSTANT_VIEW_DOMAINS.split(','),

src/server.ts

@@ -377,6 +377,20 @@ const setRedirectRequest = async (request: IRequest) => {
   const { searchParams } = new URL(request.url);
   let url = searchParams.get('url');
 
+  /* Check that origin either does not exist or is in our domain list */
+  const origin = request.headers.get('origin');
+  if (origin && !Constants.STANDARD_DOMAIN_LIST.includes(new URL(origin).hostname)) {
+    return new Response(
+      Strings.MESSAGE_HTML.format({
+        message: `Failed to set base redirect: Your request seems to be originating from another domain, please open this up in a new tab if you are trying to set your base redirect.`
+      }),
+      {
+        headers: Constants.RESPONSE_HEADERS,
+        status: 403
+      }
+    );
+  }
+
   if (!url) {
     /* Remove redirect URL */
     return new Response(
@@ -386,6 +400,7 @@ const setRedirectRequest = async (request: IRequest) => {
       {
         headers: {
           'set-cookie': `base_redirect=; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT; secure; HttpOnly`,
+          'content-security-policy': `frame-ancestors ${Constants.STANDARD_DOMAIN_LIST.join(' ')};`,
           ...Constants.RESPONSE_HEADERS
         },
         status: 200
@@ -409,6 +424,7 @@ const setRedirectRequest = async (request: IRequest) => {
         {
           headers: {
             'set-cookie': `base_redirect=; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT; secure; HttpOnly`,
+            'content-security-policy': `frame-ancestors ${Constants.STANDARD_DOMAIN_LIST.join(' ')};`,
             ...Constants.RESPONSE_HEADERS
           },
           status: 200
@@ -429,6 +445,7 @@ const setRedirectRequest = async (request: IRequest) => {
     {
       headers: {
         'set-cookie': `base_redirect=${url}; path=/; max-age=63072000; secure; HttpOnly`,
+        'content-security-policy': `frame-ancestors ${Constants.STANDARD_DOMAIN_LIST.join(' ')};`,
         ...Constants.RESPONSE_HEADERS
       },
       status: 200

src/types/env.d.ts

@@ -1,4 +1,5 @@
 declare const BRANDING_NAME: string;
+declare const STANDARD_DOMAIN_LIST: string;
 declare const DIRECT_MEDIA_DOMAINS: string;
 declare const TEXT_ONLY_DOMAINS: string;
 declare const INSTANT_VIEW_DOMAINS: string;

webpack.config.js

@@ -19,6 +19,7 @@ require('dotenv').config();
 
 let envVariables = [
   'BRANDING_NAME',
+  'STANDARD_DOMAIN_LIST',
   'DIRECT_MEDIA_DOMAINS',
   'TEXT_ONLY_DOMAINS',
   'INSTANT_VIEW_DOMAINS',