mirror of https://github.com/openclaw/openclaw.git
iOS: restrict A2UI action dispatch to trusted canvas URLs (#58471)
* fix(ios): restrict a2ui bridge trust * test(ios): cover fragment-strip trust and document raw-string equality * fix(ios): normalize capability URL before trust comparison in canvas commands * fix(ios): trim canvas.navigate url before trust comparison * chore: add changelog for iOS A2UI trust boundary --------- Co-authored-by: Devin Robison <drobison@nvidia.com>
This commit is contained in:
Agustin Rivera
GitHub
parent
00aa31a30c
commit
49d08382a9
|
|
@ -24,6 +24,7 @@ Docs: https://docs.openclaw.ai
|
|||
- ACP/Windows spawn: fail closed on unresolved `.cmd` and `.bat` OpenClaw wrappers unless a caller explicitly opts into shell fallback, so Windows ACP launches do not silently drop into shell-mediated execution when wrapper unwrapping fails. (#58436) Thanks @eleqtrizit.
|
||||
- Exec/Windows: prefer strict-inline-eval denial over generic allowlist prompts for interpreter carriers, while keeping persisted Windows allow-always approvals argv-bound. (#59780) Thanks @luoyanglang.
|
||||
- Gateway/connect: omit admin-scoped config and auth metadata from lower-privilege `hello-ok` snapshots while preserving those fields for admin reconnects. (#58469) Thanks @eleqtrizit.
|
||||
- iOS/canvas: restrict A2UI bridge trust to the bundled scaffold and exact capability-backed remote canvas URLs, so generic `canvas.navigate` and `canvas.present` loads no longer gain action-dispatch authority. (#58471) Thanks @eleqtrizit.
|
||||
|
||||
## 2026.4.2-beta.1
|
||||
|
||||
|
|
|
|||
|
|
@ -33,6 +33,19 @@ extension NodeAppModel {
|
|||
return base.appendingPathComponent("__openclaw__/a2ui/").absoluteString + "?platform=ios"
|
||||
}
|
||||
|
||||
/// Normalize a URL string for trust comparison: lowercase scheme/host and strip fragment.
|
||||
/// This matches the normalization applied by ScreenController.isTrustedCanvasUIURL so that
|
||||
/// SPA hash-routing fragments and scheme/host casing do not silently prevent trust being set.
|
||||
static func normalizeURLForTrustComparison(_ raw: String) -> String {
|
||||
guard let url = URL(string: raw),
|
||||
var components = URLComponents(url: url, resolvingAgainstBaseURL: false)
|
||||
else { return raw }
|
||||
components.fragment = nil
|
||||
components.scheme = components.scheme?.lowercased()
|
||||
components.host = components.host?.lowercased()
|
||||
return components.url?.absoluteString ?? raw
|
||||
}
|
||||
|
||||
func showA2UIOnConnectIfNeeded() async {
|
||||
await MainActor.run {
|
||||
// Keep the bundled home canvas as the default connected view.
|
||||
|
|
@ -46,7 +59,7 @@ extension NodeAppModel {
|
|||
guard let initialUrl = await self.resolveA2UIHostURLWithCapabilityRefresh() else {
|
||||
return .hostNotConfigured
|
||||
}
|
||||
self.screen.navigate(to: initialUrl)
|
||||
self.screen.navigate(to: initialUrl, trustA2UIActions: true)
|
||||
if await self.screen.waitForA2UIReady(timeoutMs: timeoutMs) {
|
||||
return .ready(initialUrl)
|
||||
}
|
||||
|
|
@ -54,7 +67,7 @@ extension NodeAppModel {
|
|||
// First render can fail when scoped capability rotates between reconnects.
|
||||
guard await self.gatewaySession.refreshNodeCanvasCapability() else { return .hostUnavailable }
|
||||
guard let refreshedUrl = await self.resolveA2UIHostURL() else { return .hostUnavailable }
|
||||
self.screen.navigate(to: refreshedUrl)
|
||||
self.screen.navigate(to: refreshedUrl, trustA2UIActions: true)
|
||||
if await self.screen.waitForA2UIReady(timeoutMs: timeoutMs) {
|
||||
return .ready(refreshedUrl)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -851,7 +851,8 @@ final class NodeAppModel {
|
|||
if url.isEmpty {
|
||||
self.screen.showDefaultCanvas()
|
||||
} else {
|
||||
self.screen.navigate(to: url)
|
||||
let trustedA2UIURL = await self.resolveA2UIHostURL()
|
||||
self.screen.navigate(to: url, trustA2UIActions: trustedA2UIURL == Self.normalizeURLForTrustComparison(url))
|
||||
}
|
||||
return BridgeInvokeResponse(id: req.id, ok: true)
|
||||
case OpenClawCanvasCommand.hide.rawValue:
|
||||
|
|
@ -859,7 +860,9 @@ final class NodeAppModel {
|
|||
return BridgeInvokeResponse(id: req.id, ok: true)
|
||||
case OpenClawCanvasCommand.navigate.rawValue:
|
||||
let params = try Self.decodeParams(OpenClawCanvasNavigateParams.self, from: req.paramsJSON)
|
||||
self.screen.navigate(to: params.url)
|
||||
let trimmedURL = params.url.trimmingCharacters(in: .whitespacesAndNewlines)
|
||||
let trustedA2UIURL = await self.resolveA2UIHostURL()
|
||||
self.screen.navigate(to: trimmedURL, trustA2UIActions: trustedA2UIURL == Self.normalizeURLForTrustComparison(trimmedURL))
|
||||
return BridgeInvokeResponse(id: req.id, ok: true)
|
||||
case OpenClawCanvasCommand.evalJS.rawValue:
|
||||
let params = try Self.decodeParams(OpenClawCanvasEvalParams.self, from: req.paramsJSON)
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ import WebKit
|
|||
@Observable
|
||||
final class ScreenController {
|
||||
private weak var activeWebView: WKWebView?
|
||||
private var trustedRemoteA2UIURL: URL?
|
||||
|
||||
var urlString: String = ""
|
||||
var errorText: String?
|
||||
|
|
@ -26,10 +27,11 @@ final class ScreenController {
|
|||
self.reload()
|
||||
}
|
||||
|
||||
func navigate(to urlString: String) {
|
||||
func navigate(to urlString: String, trustA2UIActions: Bool = false) {
|
||||
let trimmed = urlString.trimmingCharacters(in: .whitespacesAndNewlines)
|
||||
if trimmed.isEmpty {
|
||||
self.urlString = ""
|
||||
self.trustedRemoteA2UIURL = nil
|
||||
self.reload()
|
||||
return
|
||||
}
|
||||
|
|
@ -43,6 +45,7 @@ final class ScreenController {
|
|||
return
|
||||
}
|
||||
self.urlString = (trimmed == "/" ? "" : trimmed)
|
||||
self.trustedRemoteA2UIURL = trustA2UIActions ? Self.normalizeTrustedRemoteA2UIURL(from: trimmed) : nil
|
||||
self.reload()
|
||||
}
|
||||
|
||||
|
|
@ -72,6 +75,7 @@ final class ScreenController {
|
|||
|
||||
func showDefaultCanvas() {
|
||||
self.urlString = ""
|
||||
self.trustedRemoteA2UIURL = nil
|
||||
self.reload()
|
||||
}
|
||||
|
||||
|
|
@ -237,28 +241,17 @@ final class ScreenController {
|
|||
subdirectory: "CanvasScaffold")
|
||||
|
||||
func isTrustedCanvasUIURL(_ url: URL) -> Bool {
|
||||
guard url.isFileURL else { return false }
|
||||
let std = url.standardizedFileURL
|
||||
if let expected = Self.canvasScaffoldURL,
|
||||
std == expected.standardizedFileURL
|
||||
{
|
||||
return true
|
||||
if url.isFileURL {
|
||||
let std = url.standardizedFileURL
|
||||
if let expected = Self.canvasScaffoldURL,
|
||||
std == expected.standardizedFileURL
|
||||
{
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
private func applyScrollBehavior() {
|
||||
guard let webView = self.activeWebView else { return }
|
||||
let trimmed = self.urlString.trimmingCharacters(in: .whitespacesAndNewlines)
|
||||
let allowScroll = !trimmed.isEmpty
|
||||
let scrollView = webView.scrollView
|
||||
// Default canvas needs raw touch events; external pages should scroll.
|
||||
scrollView.isScrollEnabled = allowScroll
|
||||
scrollView.bounces = allowScroll
|
||||
}
|
||||
|
||||
func isLocalNetworkCanvasURL(_ url: URL) -> Bool {
|
||||
LocalNetworkURLSupport.isLocalNetworkHTTPURL(url)
|
||||
guard let trusted = self.trustedRemoteA2UIURL else { return false }
|
||||
return Self.normalizeTrustedRemoteA2UIURL(from: url) == trusted
|
||||
}
|
||||
|
||||
nonisolated static func parseA2UIActionBody(_ body: Any) -> [String: Any]? {
|
||||
|
|
@ -278,6 +271,36 @@ final class ScreenController {
|
|||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
private func applyScrollBehavior() {
|
||||
guard let webView = self.activeWebView else { return }
|
||||
let trimmed = self.urlString.trimmingCharacters(in: .whitespacesAndNewlines)
|
||||
let allowScroll = !trimmed.isEmpty
|
||||
let scrollView = webView.scrollView
|
||||
// Default canvas needs raw touch events; external pages should scroll.
|
||||
scrollView.isScrollEnabled = allowScroll
|
||||
scrollView.bounces = allowScroll
|
||||
}
|
||||
|
||||
private static func normalizeTrustedRemoteA2UIURL(from raw: String) -> URL? {
|
||||
guard let url = URL(string: raw) else { return nil }
|
||||
return self.normalizeTrustedRemoteA2UIURL(from: url)
|
||||
}
|
||||
|
||||
private static func normalizeTrustedRemoteA2UIURL(from url: URL) -> URL? {
|
||||
guard !url.isFileURL else { return nil }
|
||||
guard let scheme = url.scheme?.lowercased(), scheme == "http" || scheme == "https" else {
|
||||
return nil
|
||||
}
|
||||
guard let host = url.host?.trimmingCharacters(in: .whitespacesAndNewlines), !host.isEmpty else {
|
||||
return nil
|
||||
}
|
||||
var components = URLComponents(url: url, resolvingAgainstBaseURL: false)
|
||||
components?.scheme = scheme
|
||||
components?.host = host.lowercased()
|
||||
components?.fragment = nil
|
||||
return components?.url
|
||||
}
|
||||
}
|
||||
|
||||
extension Double {
|
||||
|
|
|
|||
|
|
@ -180,12 +180,7 @@ private final class CanvasA2UIActionMessageHandler: NSObject, WKScriptMessageHan
|
|||
guard let controller else { return }
|
||||
|
||||
guard let url = message.webView?.url else { return }
|
||||
if url.isFileURL {
|
||||
guard controller.isTrustedCanvasUIURL(url) else { return }
|
||||
} else {
|
||||
// For security, only accept actions from local-network pages (e.g. the canvas host).
|
||||
guard controller.isLocalNetworkCanvasURL(url) else { return }
|
||||
}
|
||||
guard controller.isTrustedCanvasUIURL(url) else { return }
|
||||
|
||||
guard let body = ScreenController.parseA2UIActionBody(message.body) else { return }
|
||||
|
||||
|
|
|
|||
|
|
@ -66,17 +66,26 @@ private func mountScreen(_ screen: ScreenController) throws -> (ScreenWebViewCoo
|
|||
}
|
||||
}
|
||||
|
||||
@Test @MainActor func localNetworkCanvasURLsAreAllowed() {
|
||||
@Test @MainActor func trustedRemoteA2UIURLMustMatchExactly() {
|
||||
let screen = ScreenController()
|
||||
#expect(screen.isLocalNetworkCanvasURL(URL(string: "http://localhost:18789/")!) == true)
|
||||
#expect(screen.isLocalNetworkCanvasURL(URL(string: "http://openclaw.local:18789/")!) == true)
|
||||
#expect(screen.isLocalNetworkCanvasURL(URL(string: "http://peters-mac-studio-1:18789/")!) == true)
|
||||
#expect(screen.isLocalNetworkCanvasURL(URL(string: "https://peters-mac-studio-1.ts.net:18789/")!) == true)
|
||||
#expect(screen.isLocalNetworkCanvasURL(URL(string: "http://192.168.0.10:18789/")!) == true)
|
||||
#expect(screen.isLocalNetworkCanvasURL(URL(string: "http://10.0.0.10:18789/")!) == true)
|
||||
#expect(screen.isLocalNetworkCanvasURL(URL(string: "http://100.123.224.76:18789/")!) == true) // Tailscale CGNAT
|
||||
#expect(screen.isLocalNetworkCanvasURL(URL(string: "https://example.com/")!) == false)
|
||||
#expect(screen.isLocalNetworkCanvasURL(URL(string: "http://8.8.8.8/")!) == false)
|
||||
let trusted = "https://node.ts.net:18789/__openclaw__/a2ui/?platform=ios"
|
||||
screen.navigate(to: trusted, trustA2UIActions: true)
|
||||
|
||||
#expect(screen.isTrustedCanvasUIURL(URL(string: trusted)!) == true)
|
||||
// Fragment differences must not affect trust (SPA hash routing).
|
||||
#expect(screen.isTrustedCanvasUIURL(URL(string: "https://node.ts.net:18789/__openclaw__/a2ui/?platform=ios#step2")!) == true)
|
||||
#expect(screen.isTrustedCanvasUIURL(URL(string: "https://node.ts.net:18789/__openclaw__/a2ui/?platform=android")!) == false)
|
||||
#expect(screen.isTrustedCanvasUIURL(URL(string: "https://node.ts.net:18789/__openclaw__/canvas/")!) == false)
|
||||
#expect(screen.isTrustedCanvasUIURL(URL(string: "https://evil.ts.net:18789/__openclaw__/a2ui/?platform=ios")!) == false)
|
||||
#expect(screen.isTrustedCanvasUIURL(URL(string: "http://192.168.0.10:18789/")!) == false)
|
||||
}
|
||||
|
||||
@Test @MainActor func genericNavigationClearsTrustedRemoteA2UIURL() {
|
||||
let screen = ScreenController()
|
||||
screen.navigate(to: "https://node.ts.net:18789/__openclaw__/a2ui/?platform=ios", trustA2UIActions: true)
|
||||
screen.navigate(to: "https://evil.ts.net:18789/")
|
||||
|
||||
#expect(screen.isTrustedCanvasUIURL(URL(string: "https://node.ts.net:18789/__openclaw__/a2ui/?platform=ios")!) == false)
|
||||
}
|
||||
|
||||
@Test func parseA2UIActionBodyAcceptsJSONString() throws {
|
||||
|
|
|
|||
Loading…
Reference in New Issue