Mobile/Responsive Preview Package


#1

Hey guys, just released this: https://atom.io/packages/mobile-preview

Let me know what you think :smile:


Security Public Service Announcement
#2

I am going to be scared of anything that fetches remote resources without my own explicit control. There’s no sandbox and there’s full access to node.

EDIT: Looks like you use an iframe. Maybe there’s a way to sandbox it?


#3

Sure enough. Just tested this out. The iframe keeps atom internals away, but there’s full access to node from the iframe, which means any remote resources have full shell access on your box with little effort, no exploits.


#4

Security issues aside, this is a really interesting project.


#5

Yowza. How do you access node from within the iFrame?


#6

I was hoping the iFrame would keep everything contained. Running into issues with resources loading, etc…

Pushing the preview out to the browser would work, but thats kind of negates the usefulness.


#7

Just pushed a patch to disable remote URL’s until this gets worked out.


#8

The simple setup I used was to put this script on a remote page:

var spawn = require('child_process').spawn,
    ls    = spawn('touch', ['/tmp/plopped']);

Then load it via the mobile preview and see if I left myself a present in /tmp.


#9

You know, even local resources can pull down remote stuff, so I think I’m just going to pull this down altogether


#10

There’s got to be a way to sandbox the iframe, as was suggested in the security PSA thread. Definitely a good feature to request, as your package is really quite cool with the right constraints.


#11

We’re working on a fix for the iframe security problems mentioned in this thread, it should be in the next release v0.69.0.

iframes will be sandboxed and unable to access any node APIs. Thanks for keeping an eye on issues like these everyone!


Security Public Service Announcement
#12

Saw 0.69 came out, tested and it looks like we’re good to go. This package is back in business. Thanks!


#13

Do you know if user-agent overrides for iframes are supported, or if there is a plan to support them, to facilitate triggering a m.website.com when it’s standalone mobile and not responsive?


#14

thanks dude, this is useful.