Remove GitHub, GitLab, and BitBucket pages from the trusted origins l…

…ist as they allow open redirects Closes #791 Relevant due to TurboWarp/scratch-vm@56a1b14
TurboWarp · Aug 25, 2023 · b732376 · b732376
1 parent 7681d27
commit b732376
Showing 1 changed file with 0 additions and 11 deletions.
diff --git a/src/containers/tw-security-manager.jsx b/src/containers/tw-security-manager.jsx
@@ -47,12 +47,6 @@ const embedOriginsTrustedByUser = new Set();
  * @returns {boolean} True if the URL is part of the builtin set of URLs to always trust fetching from.
  */
 const isAlwaysTrustedForFetching = parsed => (
-    // Note that the regexes here don't need to be perfect. It's okay if we let extensions try to fetch
-    // resources from eg. GitHub Pages domains that aren't actually valid usernames. They'll just get
-    // a network error.
-    // URL parsing will always convert the parsed origin to lowercase, so we don't need case
-    // insensitivity here.
-
     // If we would trust loading an extension from here, we can trust loading resources too.
     isTrustedExtension(parsed.href) ||
 
@@ -64,14 +58,9 @@ const isAlwaysTrustedForFetching = parsed => (
     // GitHub
     parsed.origin === 'https://raw.githubusercontent.com' ||
     parsed.origin === 'https://api.github.com' ||
-    parsed.origin.endsWith('.github.io') ||
 
     // GitLab
     parsed.origin === 'https://gitlab.com' ||
-    parsed.origin.endsWith('.gitlab.io') ||
-
-    // BitBucket
-    parsed.origin.endsWith('.bitbucket.io') ||
 
     // Itch
     parsed.origin.endsWith('.itch.io') ||