No longer able to debug flutter web app behind reverse proxy due to "Unexpected sender"

[woprandi]

I'm trying to develop a flutter web app behind a nginx server. It worked few weeks ago but now I got this notification :

webdev/dwds/debug_extension_mv3/web/messaging.dart

Lines 212 to 215 in 51b5484

	displayNotification(
	'Unexpected sender ${sender.origin}. Please file a bug at go/dde-bug or https://github.com/dart-lang/webdev',
	isError: true,
	);

My nginx conf

server {
    server_name <REMOTE_HOST>
    location /api {
        proxy_pass <API>
    }   

    location / { 
        proxy_pass http://localhost:9020;

        # FOR DEVELOPMENT                                                                                                                                                                                                                     
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }   
}

The 9020 port is a remote docker container with the flutter app

[elliette]

Hi @woprandi - we've tightened the security on the Dart Debug Extension to only allow localhost origins, see: #2287

I'm not to familiar with nginx, what is the host name for your Flutter app? We could potentially add a setting to the extension that would let you specify your host.

[woprandi]

The flutter app is developped on a remote machine. We should be able to disable this security. The host is not reachable from internet

[elliette]

Would specifying the host be sufficient in this case? As described above, we could add a setting to the extension that would let you specify your host.

[NDevTK]

If you can use the hostname something.googlers.com that should work.

[woprandi]

@elliette Yes if I can specify several hosts or a wildcard such as *.something it would be enough I think

[NDevTK]

Problem is with https://bugs.chromium.org/p/chromium/issues/detail?id=1227410 it's hard to store the hostname safely while having a content script on every website.

Maybe something generic could work like: .local or a local IP address.

[woprandi]

HTTPS is not even enough...

[NDevTK]

Yeah the patch only checks the hostname.
Since the debugger API allows for a UXSS its not enough to just have a safe connection.

There are ways to safely store the hostname https://developer.chrome.com/docs/extensions/develop/concepts/storage-and-cookies#storage-in-service-workers

[quyenlv-unicloud]

@NDevTK Hi, do you known any way to test dev website on other mobile devices same lan without using something.googlers.com?

Before:

• running flutter webs-server --web-hostname=10.50.10.10 --web-port=4200
• open in chrome and click Dart extension
• then all other mobile devices on same lan can access dev website at 10.50.10.10:4200

Now:

• "unexpected sender" because not localhost
• other mobile devices not understand "localhost"
• the only way is change android hosts (required root?) or using customize dns server (required many work/setup)

[NDevTK]

Currently no although for this attack it was not about local threats. It seems reasonable for something on the local lan range to be automatically allowed. (They can already spoof googlers.com)

…

On Mon, Mar 18, 2024, 5:45 AM quyenlv-unicloud ***@***.***> wrote: @NDevTK <https://github.com/NDevTK> Hi, do you known any way to test dev website on other mobile devices same lan without using something.googlers.com? Before: - running flutter webs-server --web-hostname=10.50.10.10 --web-port=4200 - open in chrome and click Dart extension - then all other mobile devices on same lan can access dev website at 10.50.10.10:4200 Now: - "unexpected sender" because not localhost - other mobile devices not understand "localhost" - the only way is change android hosts (required root?) or using customize dns server (required many work/setup) — Reply to this email directly, view it on GitHub <#2375 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHQZ74PDTADGWTEF5J2I6IDYYZ5PHAVCNFSM6AAAAABDQ55SBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBSHE3TKMJWHA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[woprandi]

@NDevTK By spoof, you means add entry to /etc/hosts file ?

[NDevTK]

So for a local attacker assuming I remember correctly: DNS is unencrypted by default so it's possible to say googlers.com resolves your device. ARP is used to dermine what device an IP resolves to and that's also unencrypted.

…

On Mon, Mar 18, 2024, 11:24 AM William Oprandi ***@***.***> wrote: @NDevTK <https://github.com/NDevTK> By spoof, you means add entry to /etc/hosts file ? — Reply to this email directly, view it on GitHub <#2375 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHQZ74N7HPMVXOA7JIEON5TYY3FINAVCNFSM6AAAAABDQ55SBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBTGY2TIOJZGQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[woprandi]

I built the extension with the security disabled. Fortunately the patch is trivial.

[NDevTK]

Well if you're building the extension why not just put your own host in the code! But yeah there should be a UI to grant permission for a user provided host. Even if that does mean using indexedDB.

…

On Mon, Mar 18, 2024, 3:09 PM William Oprandi ***@***.***> wrote: I built the extension with the security disabled. Fortunately the patch is trivial. — Reply to this email directly, view it on GitHub <#2375 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHQZ74MK2XYIZ5LSOTSKXM3YY37SPAVCNFSM6AAAAABDQ55SBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBUGE3TGNJXGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[woprandi]

It's supposed to be temporary until it's fixed upstream. I could try to implement the UI to add hosts on whitelist but I have no knowledge on extension development

[Zekfad]

Why not add settings page and whitelist: https://developer.chrome.com/docs/extensions/develop/ui/options-page

[NDevTK]

Personally because I'm bad at web design I think using an allow list only controllable by the user is the fix. Can't use chrome.storage however otherwise get back to the start.

…

On Sun, Mar 31, 2024, 8:50 PM Yaroslav Vorobev ***@***.***> wrote: Why not add settings page and whitelist: https://developer.chrome.com/docs/extensions/develop/ui/options-page — Reply to this email directly, view it on GitHub <#2375 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHQZ74OPPWLX7LJSGXWJBWTY3BSIVAVCNFSM6AAAAABDQ55SBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRYHA4DQNBWGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[Zekfad]

If you want to avoid chrome.storage, what about using in-memory variable from background worker?
Add button to popup that would add current tab host to whitelist until browser is restarted.
User anyway need to press open devtools to start debug session, it wont be so much of inconvenience, at least it's better than patching extension to test your app in prod environment (in our case we use external authentication provider).

[NDevTK]

Yeah if a dialog came up when clicking on the extension icon that said "Do you want to allow origin access to all websites" that would be fine.

[Kludgy4]

+1 trying to develop behind a local kong server and am getting this error as well

[woprandi]

@Kludgy4 You can patch the extension to disable sender check as workaround