780 Star 1.5K Fork 350

开源中国 / Gitee Feedback

 / 详情

【安全相关】gitee pages域名跨站窃取信息的问题

2023-03-23 18:24


还有其他的一些涉及跨站的js API也具备此项能力。


而国际主流的类似服务,如github.io,vercel.dev,pages.dev 等均具备此项加固措施。

因此,建议向国际组织提交gitee.io这个域名(方法:https://publicsuffix.org/submit/ ),避免可能存在的安全风险。





mozilla: https://wiki.mozilla.org/Public_Suffix_List
chrome: https://web.dev/same-site-same-origin/

评论 (2)

popcorner 创建了缺陷
popcorner 修改了描述
诺墨 负责人设置为atompi
atompi 添加协作者atompi
atompi 负责人atompi 修改为李明华
李明华 任务状态待确认 修改为进行中

Public Suffix List (PSL) Pull Request (PR) Template

Each PSL PR needs to have a description, rationale, indication of DNS validation and syntax checking, as well as a number of acknowledgements from the submitter. This template must be included with each PR, and the submitting party MUST provide responses to all of the elements in order to be considered.

Checklist of required steps

  • Description of Organization

  • Robust Reason for PSL Inclusion

  • DNS verification via dig

  • Run Syntax Checker (make test)

  • Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _PSL txt record in place in the respective zone(s) in the affected section

Submitter affirms the following:

  • We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)
  • This request was not submitted with the objective of working around other third-party limits
  • The Guidelines were carefully read and understood, and this request conforms
  • The submission follows the guidelines on formatting and sorting

For Private section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

  • Yes, I understand. I could break my organization's website cookies etc. and the rollback timing, etc is acceptable. Proceed.

Description of Organization

We provide a code hosting and collaborative development platform for developers/enterprises, with more than 10 million developers, more than 25 million hosting projects, bringing together almost all original open source projects in China, and launched the Enterprise Edition in 2016, providing enterprise-level code hosting services, becoming a leading SaaS service provider in the development field.

Organization Website:

Reason for PSL Inclusion

Gitee.io is a domain name used by Gitee, a Chinese-based provider of Git-based collaboration and code hosting services, to provide a service similar to GitHub Pages.Gitee.io allows users to create websites and web pages using HTML, CSS, and JavaScript, and host them on the Gitee platform.As the use of gitee.io domain names becomes more widespread, there is a potential risk of malicious actors using similar domain names to impersonate Gitee or its services.To mitigate this risk and protect users, we recommend adding gitee.io to the Public Suffix List.This will ensure that only Gitee and authorized entities can create subdomains under gitee.io, providing an additional layer of security for users and businesses using Gitee's services.

Number of users this request is being made to serve:
More than 10 million

DNS Verification via dig

dig +short TXT _psl.gitee.io

Results of Syntax Checker (make test)

Testsuite summary for libpsl 0.21.2
# TOTAL: 3
# PASS:  3
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
Making check in tests
  CC       test-is-public.o
  CC       test-is-public-all.o
  CC       test-is-cookie-domain-acceptable.o
  CC       test-is-public-builtin.o
  CC       test-registrable-domain.o
  CCLD     test-is-cookie-domain-acceptable
  CCLD     test-is-public-builtin
  CCLD     test-is-public
  CCLD     test-is-public-all
  CCLD     test-registrable-domain
PASS: test-is-public-builtin
PASS: test-is-public
PASS: test-is-cookie-domain-acceptable
PASS: test-registrable-domain
PASS: test-is-public-all
Testsuite summary for libpsl 0.21.2
# TOTAL: 5
# PASS:  5
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
Making check in msvc


李明华 关联项目设置为Gitee 运维团队(已删除)
李明华 关联项目Gitee 运维团队(已删除) 修改为未设置
atompi 任务类型缺陷 修改为运维工单
atompi 关联项目设置为Gitee SRE
李明华 登记工时设置为2小时
李明华 登记工时2小时 修改为3小时
atompi 添加了
liwen 成本中心设置为Gitee SaaS 平台V2.0

登录 后才可以发表评论

Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
开始日期   -   截止日期
预计工期 (小时)
1034229 atompi 1578938786
Gitee Feedback