Add a possibility to manage own nodes on Nodes screen

[bludnic]

I will try to make it work at least for Electron. Managing custom nodes in the web version is problematic due to the CSP (Content Security Policy).

The CSP rules are returned in the server response. It will block any request from the client that doesn't match *.adamant.im. So the user custom nodes will not work by default.

Checklist

• Add UI components for Add/Edit a custom node
• Integrate those components into NodesTable
• Make the custom nodes persistent (page reload, tab close) using LocalStorage
• Make it work in the Electron app

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
adamant-im	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 27, 2023 5:32pm

[github-actions]

Deployed to https://msg-adamant-pr-541.surge.sh 🚀

[bludnic]

Feat: Add a possibility to manage own nodes on Nodes screen (Electron)

[bludnic]

One possible solution could be by generating CSP dynamically based on a user cookie. The cookie will contain an array of custom nodes.

Scenario:

1. User adds a custom node on the Nodes screen
2. A cookie will be set CUSTOM_NODES=http://custom-node1.com,http://custom-node2.com
3. Refresh the page. It is required to send that cookie to the server (we can do it programmatically, or let the user do it by itself)
4. The msg.adamant.im will read that cookie, and add custom domains to CSP in the response

[adamant-al]

One possible solution could be by generating CSP dynamically based on a user cookie. The cookie will contain an array of custom nodes.

Scenario:

1. User adds a custom node on the Nodes screen
2. A cookie will be set CUSTOM_NODES=http://custom-node1.com,http://custom-node2.com
3. Refresh the page. It is required to send that cookie to the server (we can do it programmatically, or let the user do it by itself)
4. The msg.adamant.im will read that cookie, and add custom domains to CSP in the response

It seems complicated for me and looks not secure. Also, currently the app doesn't use cookies.

What do you think, @martiliones?

[martiliones]

If the list of nodes is controlled by a user and affects only their own client, should we block fetch requests in the first place? There is no safe way to manage CSP because the client (user) defines which nodes are considered safe, not the server.

The only way to make request to URL that's not in the list is by executing 3rd party script, in which case the script could also edit CSP options.

[adamant-al]

If the list of nodes is controlled by a user and affects only their own client,

Yes.

should we block fetch requests in the first place?

What do you mean?

There is no safe way to manage CSP because the client (user) defines which nodes are considered safe, not the server.
The only way to make request to URL that's not in the list is by executing 3rd party script, in which case the script could also edit CSP options.

That's why I don't like it.

[martiliones]

should we block fetch requests in the first place?

What do you mean?

I think we can disable CSP for fetch requests but keep it enabled for content like images/scripts/iframe etc. As an alternative, we can make "Allow unknown nodes" option.

[adamant-al]

I think we can disable CSP for fetch requests but keep it enabled for content like images/scripts/iframe etc. As an alternative, we can make "Allow unknown nodes" option.

Is it possible to "disable CSP for fetch requests"? Provide some details.

What is "Allow unknown nodes" option?

As I understand, CSP is generally static and set on the web server. We set it for msg.adamant.im.

[martiliones]

Is it possible to "disable CSP for fetch requests"? Provide some details.

We can set connect-src * to allow requests to any url made by script:

loading image has been blocked by CSP while fetch request to node passed

What is "Allow unknown nodes" option?

A checkbox in the settings that user should mark to use 3rd party nodes, we can warn the user that they are responsible for trusting the node.

[adamant-al]

We can set connect-src * to allow requests to any url made by script
loading image has been blocked by CSP while fetch request to node passed

Is it safe?

A checkbox in the settings that user should mark to use 3rd party nodes, we can warn the user that they are responsible for trusting the node.

Is it possible to allow CSP in runtime?

@bludnic @RealGoodProgrammer
What do you think?

[martiliones]

Is it safe?

Unless we make requests to untrusted URLs ourselves, it should be safe

Is it possible to allow CSP in runtime?

I meant we can check it in JavaScript

What I think we really need to care about is this line where we are allowing to inject scripts and run code using eval():

script-src 'self' 'unsafe-inline' 'unsafe-eval' *.adamant.im;

@bludnic can we remove 'unsafe-inline' and 'unsafe-eval'?

[bludnic]

@martiliones I guess not, we cant remove that rules.

'unsafe-eval' is required by @liskhq/lisk-validator
'unsafe-inline' make possible using onload when loading fonts