Fix Browse local auth leak and migrate legacy profiles#2226
Open
time-attack wants to merge 2 commits into
Open
Fix Browse local auth leak and migrate legacy profiles#2226time-attack wants to merge 2 commits into
time-attack wants to merge 2 commits into
Conversation
|
Merging to
After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here |
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/healthstatus-only and reject DNS-rebinding-style local Host headers.This PR intentionally contains no version bump or changelog entry.
What happened, in simple terms
GStack Browse runs a local server on the developer's Mac. The old version put the server's master key in its public
/healthresponse. A normal website could not simply read that response because of the browser's same-origin rules, but an unrelated Chrome extension with localhost access could. A website using DNS rebinding was another route that needed to be closed.That master key was more than a health-check token: after obtaining it, a caller could ask Browse for a terminal session and connect to the local Claude terminal. We reproduced that complete chain with a separate attacker extension and a real terminal WebSocket.
This PR removes the key from HTTP discovery entirely. The Browse process now writes a fresh credential directly into storage owned by one fixed GStack extension ID. Public pages and content scripts cannot request it, the terminal accepts only that exact extension origin, and local HTTP rejects unexpected Host headers.
Automatic migration
Existing installations are repaired without manual profile surgery. The normal setup/updater installation path detects the old path-derived extension identity inside GStack's dedicated Chromium profile, moves only its extension storage into a private rollback directory, and leaves unrelated extensions and the user's normal Chrome profile untouched. The migration is idempotent and defers instead of editing an active profile.
Test Coverage
New regression coverage exercises status-only health responses, forged extension Origins, DNS rebinding Host headers, fixed extension identity derivation, content-script credential isolation, both supported extension launch modes, migration/backup/idempotency behavior, setup wiring, and standards-compliant terminal WebSocket authentication.
Pre-Landing Review
Three independent read-only reviews covered auth/trust boundaries, migration/repair safety, and browser/terminal compatibility. The first pass found five blockers: content scripts could read local extension storage, one extension launch mode lacked a real service worker, live Chromium locks could be missed, invalid profiles could be marked migrated, and repaired Playwright caches lacked the registry marker. All five were fixed and regression-tested. The final re-review found no remaining P0/P1 issues.
Design Review
No visual behavior changed; design review skipped.
Eval Results
No prompt-related files changed; evals skipped.
Plan Completion
No plan file detected.
Documentation
ARCHITECTURE.md: documents status-only/health, Host validation, and trusted extension credential provisioning.BROWSER.md: explains the secure extension identity, automatic legacy-profile migration, repair opt-out, and corrected SSE authentication claim.docs/REMOTE_BROWSER_ACCESS.md: clarifies that/healthnever returns credentials.docs/designs/GSTACK_BROWSER_V0.md: updates the shipped authentication design.No version history was added.
Verification Results
bun run testcommand completed successfully; the final focused security, migration, browser-manager, and terminal run passed 18/18 tests.Test plan
Fixes #1324