Added security and privacy feature, use private parameters after hastag to avoid server logging

Added security and privacy feature, use private parameters after hastag to avoid server logging Added security and privacy feature, use private parameters after hastag to avoid server logging
2021-08-24 01:53:19 +02:00 · 2021-08-24 01:53:19 +02:00 · c581d78453
parent 7485e82b72
commit c581d78453
2 changed files with 20 additions and 3 deletions
--- a/app/webutil.js
+++ b/app/webutil.js
@ -20,10 +20,19 @@ export function initLogging(level) {
 }

 // Read a query string variable
+// A URL with a query parameter can look like this (But will most probably get logged on the http server):
+// https://www.example.com?myqueryparam=myvalue
+// 
+// For privacy (Using a hastag #, the parameters will not be sent to the server)
+// the url can be requested in the following way:
+// https://www.example.com#myqueryparam=myvalue&password=secreatvalue
+// 
+// Even Mixing public and non public parameters will work:
+// https://www.example.com?nonsecretparam=example.com#password=secreatvalue
 export function getQueryVar(name, defVal) {
    "use strict";
    const re = new RegExp('.*[?&]' + name + '=([^&#]*)'),
-        match = document.location.href.match(re);
+        match = ''.concat(document.location.href," ", window.location.hash).match(re);
    if (typeof defVal === 'undefined') { defVal = null; }

    if (match) {
--- a/vnc_lite.html
+++ b/vnc_lite.html
@ -109,13 +109,21 @@
        // query string. If the variable isn't defined in the URL
        // it returns the default value instead.
        function readQueryVariable(name, defaultValue) {
-            // A URL with a query parameter can look like this:
+            // A URL with a query parameter can look like this (But will most probably get logged on the http server):
            // https://www.example.com?myqueryparam=myvalue
+            // 
+            // For privacy (Using a hastag #, the parameters will not be sent to the server)
+            // the url can be requested in the following way:
+            // https://www.example.com#myqueryparam=myvalue&password=secreatvalue
+            // 
+            // Even Mixing public and non public parameters will work:
+            // https://www.example.com?nonsecretparam=example.com#password=secreatvalue
+            // 
            //
            // Note that we use location.href instead of location.search
            // because Firefox < 53 has a bug w.r.t location.search
            const re = new RegExp('.*[?&]' + name + '=([^&#]*)'),
-                  match = document.location.href.match(re);
+                  match = ''.concat(document.location.href," ", window.location.hash).match(re);

            if (match) {
                // We have to decode the URL since want the cleartext value