#saltr (irc2p) | I2P+ 2.12.0-1+ >> i2pplus.github.io | skank.i2p | git.skank.i2p | purokishi.i2p | vituperative.github.io/i2pchat | notbob.i2p | ramble.i2p | drop.i2p | shinobi.i2p | wall.i2p | /msg an op for voice

#saltr

/2026/05/04

Online: 54

~dr|z3d

@RN

@T3s|4

@T3s|4_

@eyedeekay

@orignal

@postman

@zzz

%acetone

%mareki2p

%snex

+Atticfire

+FreefallHeavens

+Onn4l7h

+Onn4|7h

+fa

+marek22k

+onon_

+profetikla

+qend-irc2p

+r00tobo

+sexy

+uop23ip

Arch

Danny

Irc2PGuest21708

Irc2PGuest28384

Irc2PGuest4937

Irc2PGuest66257

Irc2PGuest75631

Irc2PGuest99986

Over1

RTP_

Watson

ahiru

anontor

cims

i2potus

interesting

justaperson

lokzz

luvme3

mahlay

makoto

n2_

nilbog

not_bob_afk2

pinotto

poriori

r00tobo[2]

rednode

sahil

uberius

user_ygg2_

dr|z3d not a full fix, zzz, but a start: github.com/I2PPlus/i2pplus/commit/681e8fb1e2c1fb174d9ece2ac483b4d3035a4989

dr|z3d StormyCloud: in case you didn't get the missive, I think we migrated from Transifex.

zzz we already have default-src self so form-action self doesn't add anything

dr|z3d sure, it's more an indicator than anything else.

zzz ok I've found two separate static nonces in the console plus one stored in system properties

zzz still not sure it's a real problem but it's messy/ugly enough I can't stand behind it

zzz dr|z3d, could you help by researching the Origin header? they recommend "Add Origin header validation on all POST handlers"

zzz I have read the mozilla article. Firefox sends "Origin: null" on POSTs

zzz so we reject if it's not present? or not "null"? thats what I'm not clear about

dr|z3d I think null is sent for post requests for files etc, non-localhost attempts would not have origin null so be rejected.

dr|z3d Got some provisional code to harden post requests, testing, will push to git.

zzz or would it have the Origin set to something else?

zzz if it were a CSRF attempt

dr|z3d exactly.

dr|z3d basic analysis:

dr|z3d Origin: null appears when:

dr|z3d - Request from file:// page

dr|z3d - Request from data:// page

dr|z3d - Request from sandboxed iframe

dr|z3d - Request from context that was blocked by browser

dr|z3d Security analysis for I2P console:

dr|z3d 1. Attacker can't control this: From attacker's website, browser sends real Origin (e.g., attacker.com), not "null"

dr|z3d 2. Requires local access: To send Origin: null, attacker needs code running on victim's machine (file://) - at that point they already have physical access

dr|z3d 3. CSRF nonce still required: Even with Origin: null allowed, the POST still needs a valid CSRF nonce to succeed. The Origin check is defense-in-depth.

dr|z3d 4. Console is localhost-only: I2P console isn't exposed to network - only accessible via 127.0.0.1/localhost

dr|z3d github.com/I2PPlus/i2pplus/commit/3e27cd3cb3a1bb55c931d2d69de45acad8f3ffdd

zzz so which is it? Origin not present or Origin set to non-"null"

dr|z3d csrf attempts would fail because the origin wouldn't be null, it would be the attacker's origin as I understand it.

zzz but you said <dr|z3d> - Request from context that was blocked by browser

zzz which sounds like the bad case

zzz if you could try to get us smarter on this that would be more helpful than guessing ))

zzz found another one stored in system properties so the mess is expanding. this will take a while to unhork

dr|z3d blocked from browser would be something like <iframe src=foo sandbox>

dr|z3d possible null scenarios:

dr|z3d 1. Sandboxed iframe without allow-same-origin - If you embed the console in a sandboxed iframe without the allow-same-origin directive, the nested content has a unique origin (null)

dr|z3d 2. Blocked by CSP (Content Security Policy) - If CSP blocks a navigation or resource load, the resulting request may have Origin: null

dr|z3d 3. browser-extension or bookmarklet context - Extensions/bookmarklets may make requests from a context that has no clear origin

dr|z3d 4. About:blank or about:srcdoc - Pages created with about:blank or about:srcdoc have Origin: null until they set document.domain or have a non-null origin assigned

dr|z3d 5. CORS preflight failure - If a preflight fails, the actual request might still go out with Origin: null in some edge cases

zzz they want us to "validate" the header so stumped on what that requires is it just "null".equals(originheadervalue) and does that work on all browswers or is it more complex, is a non-"null" value ever valid

dr|z3d in case my last messages got lost in the ether:

dr|z3d > OK, so, I think I've got validation down.

dr|z3d > 1. **Allow if no Origin header** - same-origin form POST without explicit Origin

dr|z3d > 2. **Allow Origin: null** - for file://, sandboxed iframes, or detached contexts

dr|z3d > 3. **Allow matching origin** - same host:port as request

dr|z3d > 4. **Reject all others** - returns HTTP 403

dr|z3d > commits on github for console, susimail, snark.

dr|z3d > feel free to rip them apart.

zzz ok that's almost code-able

zzz don't think file:// applies

zzz port is optional developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin

dr|z3d why doesn't file:// apply? we have a few file inputs.

dr|z3d install plugin from file system, add routerinfos etc.

zzz jetty won't ever see a file:// request URI. That's different from a file form input

zzz we would see that as a POST to a http: or https: URL

zzz right?

dr|z3d sounds about right, sure.

zzz so what's the case for Origin missing being valid? ancient browsers?

zzz seems like we'd also have to block ANY Origin header for GET or HEAD?

zzz since those would all be cross-origin

zzz maybe that's the magic on how to keep them from getting nonces

dr|z3d GET/HEAD are robustly protected because:

dr|z3d 1. Any state-changing operation requires POST (enforced by formhandler.jsi)

dr|z3d 2. Any GET with side effects (like log clearing) has explicit nonce validation

dr|z3d 3. Read-only GET requests are inherently safe (no state change)

dr|z3d > The nonce validation is the primary defense - it works on ALL browsers. The Origin header is defense-in-depth for modern browsers.

dr|z3d GET/HEAD Nonce Protection Analysis

dr|z3d Protected. Here's the defense:

dr|z3d 1. POST-only Enforcement

dr|z3d FormHandler.java:274 enforces POST for all state-changing forms:

dr|z3d if (_method != null && !"POST".equals(_method)) {

dr|z3d addFormError(_t("Invalid form submission, requires POST"), true);

zzz but they can get the nonce from a cross-origin GET

zzz and then use it in the POST

zzz thats the basic scenario

dr|z3d _valid = false;

zzz we already require post in all forms afaik

zzz I've had to mod 20 files just to unhork the console nonces and I probably broke everything so it's going to be a while

dr|z3d joy, zzz!

dr|z3d no breakage here :)

zzz you didnt fix the nonces

dr|z3d you're right, only a partial "fix" with rotation.

dr|z3d what about the origin stuff, did you take that?

zzz no havent gotten that far and would have to review it and probably not put it where you did

dr|z3d ok

zzz also, contrary to what I said above, and not caught by them, there are several places where we allow changes on a GET

zzz most minor, all annoying to fix

dr|z3d maybe it's time to enforce a console password and be done with it.

zzz no people would revolt

zzz but if you do, you can revert everything else

dr|z3d haha, that's amusing.

zzz not really.

dr|z3d I wouldn't revert anything, no real downside to what I've already done.

dr|z3d no, it's amusing that you'd think people would revolt.

dr|z3d I don't think they would, once it's explained to them in pictures drawn with crayons that password == super good.

dr|z3d password + https by default, "defense in depth".

zzz knock yourself out

dr|z3d we already have https by default.