Improved Security Controls Around HX Requests #131
Description
I noticed a security issue with this package.
The issue is that any hx-request can be triggered from any view with the hx mixin. This allows code to be run in unexpected contexts from the what the developer had in mind. Furthermore, it allows for malicious code to be checked in as an hx request in a 3rd party package that the developer doesn't know about that can be run to extract data by the client.
A few ideas
Allow different levels of restriction.
-
Globally from settings file
- Modes
- whitelist
- blacklist
- Scopes
- all (current behavior)
- packages (don't allow hx requests from 3rd party packages to be run unless they are specified in a white/black list)
- lists (white/black list for action names that are allowed to be run)
- Modes
-
On views via the mixin
- have a whitelist/blacklist of actions allowed in that particular view
- could have "Scope" change too, but that might be overkill to do on a view by view basis
-
Improve the documentation to point out this vulnerability, and suggested settings
-
Develop sane defaults for dev/prod use and document guidelines around them.