ipfs/ipfs-companion

Right-click upload from cookie/token-guarded services fail

Open

#351 opened on Jan 6, 2018

View on GitHub
 (0 comments) (1 reaction) (0 assignees)JavaScript (1,992 stars) (364 forks)batch import
P3help wantedkind/bugstatus/deferred

Description

This one is nit-picky, but nevertheless, decreases UX:

How to Reproduce

  1. Go to a service that has some guarded content. What I mean by that is if you copy URL to an image and paste it in "Incognito Mode" it will redirect you to login page. Lets use Slack as an example.
  2. Upload image to a private channel
  3. Right click on it and select "Upload to IPFS"

Current Behaviour

Slack's login page is added to IPFS instead of selected image 🙃

Desired Outcome

Selected image should be added to IPFS, as expected. 👌

Rationale: It would not decrease website's security: if user was able to display image, she can save it to the disk and then upload it to IPFS manually anyway. :trollface:

Potential Fix

My guess is that the bug is caused by ipfs.util.addFromURL doing internal fetch without proper credentials. A fix would be to pass raw bytes/stream of right-clicked asset to one of ipfs.files.add* methods instead.

Contributor guide

Tech stack
javascript
Domain
frontendtooling
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaScriptbrowser extensionsIPFS API
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
55
Research direction
The bug is in the right click upload feature of the IPFS Companion browser extension. It uses `ipfs.util.addFromURL` which makes a fetch request without credentials, causing token/cookie guarded services to return a login page instead of the actual image. The fix is to pass the raw bytes of the asset (obtained from the browser's context menu API) to `ipfs.files.add` instead. Relevant code is in the extension's background script handling the context menu click event. Look for the function that calls `addFromURL` and modify it to use `add` with the image data. The issue has no activity since 2018 and no linked PR, so it's up for grabs.