-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose IPFS API as window.ipfs #330
Comments
I've made two PoCs on this concept. One was separate and you can see it here: https://github.com/victorbjelkholm/js-ipfs-in-the-browser The other one was a recent try to integrate that work into ipfs-companion and fix the stream issue in
I don't think that's good enough. I think (judging only five different methods) that the functions themselves should trigger the permission dialog (all with a "remember for this site" checkbox)
|
Should not be possible if we store the state in the extensions storage.
We absolutely should not inject the dialog into the page itself, or via a new tab but rather use the popup that ipfs-companion provides. Take a look at how MetaMask deals with confirmation when you do a transaction. |
@victorbjelkholm thanks, great points! For future reference, metamask webextension: |
@lidel can a quick experiment to let users access window.ipfs after enabling a flag on the settings pane? @joaosantos15 would really appreciate this. @joaosantos15, perhaps you can grab @victorbjelkholm PoC and submit a PR to station? |
@diasdavid there is some very early wip for that here #333 It's building on the ideas in https://github.com/victorbjelkholm/js-ipfs-in-the-browser |
Just like @diasdavid suggested, we can work on PR #333 as an experiment that is disabled by default (another checkbox in Preferences 🙃 ). I feel that as long it is an "opt-in experiment" we can ship it as a crude PoC, even without authorization GUI (although it may not be the hardest part, as noted in #333 (review)). |
Thanks @lidel @olizilla. Yes, shipping it as an opt-in would enable @joaosantos15 use case for now, that would help a ton :) |
@diasdavid @joaosantos15 out of interest, what is the use case? |
glad you asked :) it is for @joaosantos15 thesis -> ipfs/notes#268 & https://github.com/inesc-id/hypercerts |
@diasdavid given all the limitations of proxy-ing across to an ipfs in the webext background page, would it be of any use if simply provide js-ipfs as a constructor at We can do both, it's just that a useable |
Hello, sorry it has taken me this long to reply, and thank you for the help! :)
would make that work, right? Thanks! |
@joaosantos15 ah, if you are developing a webextension, be sure to see our other proposal: Let us know which approach is better for you ( |
Right now my extension is pretty simple, it only injects some js to change the layout of the webpage, I'd prefer |
@joaosantos15 to add and get files with an ifps daemon you'll want |
@joaosantos15 you could already today use If you check for Example:
With this example, your application will work today and once |
@victorbjelkholm that's great. I'll go ahead and do it that way and when #333 is ready I'll switch to that. Thanks for the help, everyone 😄 |
Hey, some progress here:
WIP PR for companion here: #333 |
Ok so, some more news. As of v0.0.12, ipfs-postmsg-proxy has feature parity with js-ipfs in the browser, according to the It's cool firstly because we're able to use
I've opened issues to deal with the caveats: However my priority now is to implement ipfs-inactive/ipfs-postmsg-proxy#5 which will allows us to add in the per method access control for ipfs companion. I'll then do that in #333, and also implement a preference to enable/disable adding ...and then, a first version can be shipped 🎉 |
Is this what we'd like for access control?:
|
Thinking through this a bit, on the permissions model, It would be really nice to be able to limit which directories in the files api that pages have access to. Maybe give them /apps/DOMAIN/ or something? |
@alanshaw more like, restricting calls like |
We need to scope things based on not just the origin but the path as well. So an IPFS application would be scoped to Edit, although, my first example will lead to some troubles when apps not using IPNS gets updated, as the data cannot be migrated in that case. |
I’m not sure I’m understanding you both properly...the permissions are scoped to origin + pathname. If you allow to /apps/example.com then anything under it will get access, but /apps/another.com will not. |
@alanshaw I'm talking about paths within the ipfs files api. |
Ah, got ya. I didn't pick up that you meant the actual paths of files stored in IPFS. @victorbjelkholm has suggested disabling all access to Thanks for taking the time to evaluate this @whyrusleeping - do you have any other concerns? I'm also wondering if there's more people that we should get to review this also...? |
So just to flesh this out a little - we're talking about the MFS specific functions of When accessing MFS functions via e.g. if you application is running at https://example.com/mycoolapp then you can only access files and directories in or under To distinguish this scope from general access permissions scope we'll call it mfs-scope.
For the beta release I'll temporarily disable access to the above functions until I can implement the scope rules. |
Is it worth namespacing access to companion? e.g. |
I think it is a good idea, having |
I've been mulling this over and had a thought - should mfs-scope be transparent? So the app would read and write to I think that would be cool, but I don't know if there's any repercussions to doing this that I've perhaps not considered. |
MFS is local and it should be fine for different apps to see different roots. Question: is it possible to escape the sandbox via |
BREAKING NEWS ✨ PR is here ->> #431 |
@whyrusleeping @victorbjelkholm something that came up today was sharing data between different versions of an application. The MFS scoping does a good job of stopping applications writing all over your stuff and each other's stuff but it means that if I have an app at ipfs.io/ipfs/Qm0 and I update it to ipfs.io/ipfs/Qm1 then ipfs.io/ipfs/Qm1 no longer has access to the files saved by ipfs.io/ipfs/Qm0, even though they are the same app. It's been suggested that IPNS is the answer to this, but I wondered what your thoughts were? We also discussed an alternative to MFS scoping - instead ask the user for permission to read/write to a directory (and sub directories). |
Hmm.... Thinking out loud, might contain traces of mistakes. The same problem appears with general application updates. Let's say you deployed application with hash Instead, by using IPNS you'd have MFS scoped properly to the publishing key instead, where both application updates and MFS scoping would work correctly. Asking for permissions is interesting though, because that also gives the application developer a way of requesting access to another applications data, for interop between apps. But there is also the risk of collision between apps (since the application developer and not the user is requesting access to a path [or maybe not? Maybe the user can change it to their liking ala Android with sdcards?]) Also, regarding requesting access, the user would have to keep track of which application has access to which path, as otherwise you could accidentally give access to the wrong directory, that might not be a great idea. I'm leaning towards having things as transparent as possible (let IPFS applications be locked to /ipfs/asd and IPNS applications be locked to /ipns/asd) but I also see value in offering easy ways of doing data sharing between applications. I'm thorn. |
On Pushing Security Decisions Onto UsersMaybe this will help: Let's take a look at Origin-based security context that isolates local storage, cookies etc in the regular web. Note that there is no GUI for opting out of Origin-based isolation per website. We have low-level CORS dance just so that one page can access API of the other. But no GUI for escaping Origin sandbox. That is for a good reason. Here comes my main fear: as soon as we introduce UI for apps to ask user for access outside of its default security perimeter, we will end up with Windows Vista UAC-like hell of nagging dialogs. Of course every app will want access to the root of your I feel we should aim in the other direction: remove friction (dialogs) for every sandboxed API method. Look closely at various methods and decide which ones are safe to be executed without any ACL prompt. |
MFS Chroot/Sandboxing Just LandedPR #431 just got merged. This means your app's MFS root directory is based on the origin and path where your application is running. Just for the record, I was playing with running this on various sites: ipfs.files.write('/test-from-' + window.location.host, Buffer.from('ehlo'), { create: true }).then(() => console.log('done')) and sandboxing of |
Closing this issue: IPFS Companion v2.2.0 shipped with Remaining work related to refining security and UX constraints for window.ipfs will be tracked in #454. The |
There is an area of interest that can be summarized as..
tl;dr If we have it, websites could detect that
window.ipfs
already exists and use it instead of spawning ownjs-ipfs
node (saves resources, battery etc).We had discussions in ipfs-inactive/js-ipfs-http-client#387 and #37, ipfs/in-web-browsers#9, ipfs/in-web-browsers#35 but the consensus at the time was that it is not safe without some kind of access-control (eg. via proposed API Tokens: ipfs/kubo#1532).
@victorbjelkholm suggested a simple solution to the lack of access controls in the API itself:
On the first use of
window.ipfs
user could be prompted with something like "Do you want to allow scripts at<website>
to access API of your IPFS node?". The choice would be remembered eg. for the page til the end of browsing session. There could also be an additional "remember for this site" checkbox to make UX better for users who wants to make permission persist between browser restarts.Tasks
window.ipfs
of the page it is injected intowindow.ipfs
should be proxied to the real IPFS API object present in webextension's Background page (requires robust (de)serialization, we don't want to mangle upload data etc)window.ipfs
should trigger a dialog where user confirms that access to IPFS API is granted to requesting site (and decides if permission is for this session only or permanent)Potential problems
window.ipfs
enabled by default: make sure it is not possible for a website to approve itself 🙃 This may mean we can't inject dialog to the tab itself and the dialog needs to be displayed in a new Tab or via other means.The text was updated successfully, but these errors were encountered: