webdev No longer able to debug flutter web app behind reverse proxy due to "Unexpected sender"

I'm trying to develop a flutter web app behind a nginx server. It worked few weeks ago but now I got this notification :

https://github.com/dart-lang/webdev/blob/51b5484348b4a8ede351e8dff0428b083495ba78/dwds/debug_extension_mv3/web/messaging.dart#L212-L215

My nginx conf

server {
    server_name <REMOTE_HOST>
    location /api {
        proxy_pass <API>
    }   

    location / { 
        proxy_pass http://localhost:9020;

        # FOR DEVELOPMENT                                                                                                                                                                                                                     
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }   
}

The 9020 port is a remote docker container with the flutter app

Feb 20 '24 11:02 woprandi

Hi @woprandi - we've tightened the security on the Dart Debug Extension to only allow localhost origins, see: https://github.com/dart-lang/webdev/issues/2287

I'm not to familiar with nginx, what is the host name for your Flutter app? We could potentially add a setting to the extension that would let you specify your host.

Feb 26 '24 18:02 elliette

The flutter app is developped on a remote machine. We should be able to disable this security. The host is not reachable from internet

Feb 26 '24 22:02 woprandi

Would specifying the host be sufficient in this case? As described above, we could add a setting to the extension that would let you specify your host.

Mar 04 '24 17:03 elliette

If you can use the hostname something.googlers.com that should work.

Mar 05 '24 00:03 NDevTK

@elliette Yes if I can specify several hosts or a wildcard such as *.something it would be enough I think

Mar 08 '24 12:03 woprandi

Problem is with https://bugs.chromium.org/p/chromium/issues/detail?id=1227410 it's hard to store the hostname safely while having a content script on every website.

Maybe something generic could work like: .local or a local IP address.

Mar 08 '24 12:03 NDevTK

HTTPS is not even enough...

Mar 14 '24 11:03 woprandi

Yeah the patch only checks the hostname. Since the debugger API allows for a UXSS its not enough to just have a safe connection.

There are ways to safely store the hostname https://developer.chrome.com/docs/extensions/develop/concepts/storage-and-cookies#storage-in-service-workers

Mar 14 '24 14:03 NDevTK

@NDevTK Hi, do you known any way to test dev website on other mobile devices same lan without using something.googlers.com?

Before:

running flutter webs-server --web-hostname=10.50.10.10 --web-port=4200
open in chrome and click Dart extension
then all other mobile devices on same lan can access dev website at 10.50.10.10:4200

Now:

"unexpected sender" because not localhost
other mobile devices not understand "localhost"
the only way is change android hosts (required root?) or using customize dns server (required many work/setup)

Mar 18 '24 05:03 quyenlv-unicloud

Currently no although for this attack it was not about local threats. It seems reasonable for something on the local lan range to be automatically allowed. (They can already spoof googlers.com)

On Mon, Mar 18, 2024, 5:45 AM quyenlv-unicloud @.***> wrote:

@NDevTK https://github.com/NDevTK Hi, do you known any way to test dev website on other mobile devices same lan without using something.googlers.com?

Before:

running flutter webs-server --web-hostname=10.50.10.10 --web-port=4200

open in chrome and click Dart extension

then all other mobile devices on same lan can access dev website at 10.50.10.10:4200

Now:

"unexpected sender" because not localhost

other mobile devices not understand "localhost"

the only way is change android hosts (required root?) or using customize dns server (required many work/setup)

— Reply to this email directly, view it on GitHub https://github.com/dart-lang/webdev/issues/2375#issuecomment-2002975168, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHQZ74PDTADGWTEF5J2I6IDYYZ5PHAVCNFSM6AAAAABDQ55SBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBSHE3TKMJWHA . You are receiving this because you were mentioned.Message ID: @.***>

Mar 18 '24 11:03 NDevTK

@NDevTK By spoof, you means add entry to /etc/hosts file ?

Mar 18 '24 11:03 woprandi

So for a local attacker assuming I remember correctly:

DNS is unencrypted by default so it's possible to say googlers.com resolves your device.

ARP is used to dermine what device an IP resolves to and that's also unencrypted.

On Mon, Mar 18, 2024, 11:24 AM William Oprandi @.***> wrote:

@NDevTK https://github.com/NDevTK By spoof, you means add entry to /etc/hosts file ?

— Reply to this email directly, view it on GitHub https://github.com/dart-lang/webdev/issues/2375#issuecomment-2003654994, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHQZ74N7HPMVXOA7JIEON5TYY3FINAVCNFSM6AAAAABDQ55SBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBTGY2TIOJZGQ . You are receiving this because you were mentioned.Message ID: @.***>

Mar 18 '24 12:03 NDevTK

I built the extension with the security disabled. Fortunately the patch is trivial.

Mar 18 '24 15:03 woprandi

Well if you're building the extension why not just put your own host in the code!

But yeah there should be a UI to grant permission for a user provided host. Even if that does mean using indexedDB.

On Mon, Mar 18, 2024, 3:09 PM William Oprandi @.***> wrote:

I built the extension with the security disabled. Fortunately the patch is trivial.

— Reply to this email directly, view it on GitHub https://github.com/dart-lang/webdev/issues/2375#issuecomment-2004173573, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHQZ74MK2XYIZ5LSOTSKXM3YY37SPAVCNFSM6AAAAABDQ55SBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBUGE3TGNJXGM . You are receiving this because you were mentioned.Message ID: @.***>

Mar 18 '24 18:03 NDevTK

It's supposed to be temporary until it's fixed upstream. I could try to implement the UI to add hosts on whitelist but I have no knowledge on extension development

Mar 19 '24 09:03 woprandi

Why not add settings page and whitelist: https://developer.chrome.com/docs/extensions/develop/ui/options-page

Mar 31 '24 19:03 Zekfad

Personally because I'm bad at web design I think using an allow list only controllable by the user is the fix. Can't use chrome.storage however otherwise get back to the start.

On Sun, Mar 31, 2024, 8:50 PM Yaroslav Vorobev @.***> wrote:

Why not add settings page and whitelist: https://developer.chrome.com/docs/extensions/develop/ui/options-page

— Reply to this email directly, view it on GitHub https://github.com/dart-lang/webdev/issues/2375#issuecomment-2028888466, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHQZ74OPPWLX7LJSGXWJBWTY3BSIVAVCNFSM6AAAAABDQ55SBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRYHA4DQNBWGY . You are receiving this because you were mentioned.Message ID: @.***>

Mar 31 '24 20:03 NDevTK

If you want to avoid chrome.storage, what about using in-memory variable from background worker? Add button to popup that would add current tab host to whitelist until browser is restarted. User anyway need to press open devtools to start debug session, it wont be so much of inconvenience, at least it's better than patching extension to test your app in prod environment (in our case we use external authentication provider).

Apr 05 '24 14:04 Zekfad

Yeah if a dialog came up when clicking on the extension icon that said "Do you want to allow origin access to all websites" that would be fine.

Apr 05 '24 20:04 NDevTK

+1 trying to develop behind a local kong server and am getting this error as well

Jul 24 '24 07:07 Kludgy4

@Kludgy4 You can patch the extension to disable sender check as workaround

Jul 24 '24 08:07 woprandi