[meteor-talk] Fast Render 2.0

1,059 views
Skip to first unread message

Arunoda Susiripala

unread,
Nov 27, 2014, 10:43:52 AM11/27/14
to meteo...@googlegroups.com
Hi,

In last couple of weeks, I've almost re-write Fast Render and try to make it more stable. It was a success. Now we've Fast Render 2.0

> If you are new to Fast Render, it helps to load and render your Meteor app very quickly. It's something similar to server side rendering. try this lesson on BulletProof Meteor to get started.

Feature wise there is no major things. But now FR is more stable and work out of the box in most cases. I also removed some unused API and these are only APIs we've now.

Now, FR comes with a built in debugger where you can test whether Fast Render has been enabled or not.

Let me know, how it works with your app.

Cheers.

Chris M

unread,
Nov 27, 2014, 1:45:43 PM11/27/14
to meteo...@googlegroups.com
Cool! Is it still true that Fast Render should not be used on *.meteor.com hosted apps due to a security issue? Or is that fixed in the new version?

Arunoda Susiripala

unread,
Nov 27, 2014, 4:21:08 PM11/27/14
to meteo...@googlegroups.com
No it's still there. That's hard to fix. Only fix is to use a custom domain.
--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/meteor-talk/fa9e4509-74b4-48af-ab10-671d38d05ccb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Tony Nguyen

unread,
Nov 29, 2014, 9:59:21 AM11/29/14
to meteo...@googlegroups.com
We can still use Fast Render for *.meteor.com hosted apps, provided that a separate domain is used, cannot we?

Arunoda Susiripala

unread,
Nov 29, 2014, 10:03:35 AM11/29/14
to meteo...@googlegroups.com
Yes sure. If so there is no issue.
--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.

Tony Nguyen

unread,
Nov 29, 2014, 10:10:45 AM11/29/14
to meteo...@googlegroups.com
Thanks Arunoda for the confirmation, I found that information in Fast Render github and this topic:
https://groups.google.com/forum/#!topic/meteor-talk/Zhy1c6MdOH8

Emily Stark

unread,
Dec 3, 2014, 1:07:46 PM12/3/14
to meteo...@googlegroups.com, Arunoda Susiripala
Hey Arunoda,

I had a simple idea for a way that I think fast-render could be fixed for the shared domain case. The problem to fix is that a user might end up with an "evil" login token as their cookie and their real login token in localStorage. So maybe before using any of the fast-render data in the HTTP response, fast-render (on the client) could just check if the login token in the cookie is equal to the token in localStorage. If the cookie is different than the value in localStorage, fast-render should assume that something fishy is going on and ignore the fast-render data.

Do you think that would work? I'm not sure if it's a complete fix but I think at the least it makes the attack much harder to pull off.

Emily

Arunoda Susiripala

unread,
Dec 3, 2014, 9:21:10 PM12/3/14
to meteo...@googlegroups.com
I think that's a clever idea. With this, we'll still get the data. 

I'm just trying to see is there any issue with that? If now we are good to go.
Still the bad user can trigger side-effects related to him, is that gonna make any issues?


Arunoda Susiripala

unread,
Dec 4, 2014, 9:36:07 PM12/4/14
to meteo...@googlegroups.com
I think Emily your suggestion needs one upgrade.

Now even though we blocked rendering the data. Evil user can steel a legitimate user's loginToken by asking legitimate user to visit bad meteor app.

We can solve this by, simply introducing a token which only works for fast rendering.

What do you think?
On 2014 දෙසැ 4, බ්‍රහස් at පෙ.ව. 7.51 Arunoda Susiripala <aru...@meteorhacks.com> wrote:
I think that's a clever idea. With this, we'll still get the data. 

I'm just trying to see is there any issue with that? If now we are good to go.
Still the bad user can trigger side-effects related to him, is that gonna make any issues?


On Wed Dec 03 2014 at 11:37:37 PM Emily Stark <em...@meteor.com> wrote:
Hey Arunoda,

I had a simple idea for a way that I think fast-render could be fixed for the shared domain case. The problem to fix is that a user might end up with an "evil" login token as their cookie and their real login token in localStorage. So maybe before using any of the fast-render data in the HTTP response, fast-render (on the client) could just check if the login token in the cookie is equal to the token in localStorage. If the cookie is different than the value in localStorage, fast-render should assume that something fishy is going on and ignore the fast-render data.

Do you think that would work? I'm not sure if it's a complete fix but I think at the least it makes the attack much harder to pull off.

Emily

On Thu, Nov 27, 2014 at 1:21 PM, Arunoda Susiripala <aru...@meteorhacks.com> wrote:
No it's still there. That's hard to fix. Only fix is to use a custom domain.
On 2014 නොවැ 28, සිකු at පෙ.ව. 12.15 Chris M <chris...@gmail.com> wrote:
Cool! Is it still true that Fast Render should not be used on *.meteor.com hosted apps due to a security issue? Or is that fixed in the new version?

On Thursday, 27 November 2014 11:43:52 UTC-4, Arunoda Susiripala wrote:
Hi,

In last couple of weeks, I've almost re-write Fast Render and try to make it more stable. It was a success. Now we've Fast Render 2.0

> If you are new to Fast Render, it helps to load and render your Meteor app very quickly. It's something similar to server side rendering. try this lesson on BulletProof Meteor to get started.

Feature wise there is no major things. But now FR is more stable and work out of the box in most cases. I also removed some unused API and these are only APIs we've now.

Now, FR comes with a built in debugger where you can test whether Fast Render has been enabled or not.

Let me know, how it works with your app.

Cheers.

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk+unsubscribe@googlegroups.com.

Emily Stark

unread,
Dec 4, 2014, 11:02:01 PM12/4/14
to meteo...@googlegroups.com
Hey Arunoda -- I don't understand; how could an evil app steal a legitimate user's login token?

To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/meteor-talk/CAJzNrTFxD0zX6W0adccH%2B3Ph%3DckN8y3HFLM-quk%2BrUYQOvHHew%40mail.gmail.com.

Arunoda Susiripala

unread,
Dec 4, 2014, 11:26:58 PM12/4/14
to meteo...@googlegroups.com
Okay, let's say like this.

We've two apps:


There is a user called "james".

James visit kadira.meteor.com and login and to stuff. Then he finds out bad.meteor.com on crater.io
It's a simple with some meteor memes. But behind the scene. it collects all loginToken on cookies and store.

So, when james visit bad.meteor.com it collets james login token. Then owner of the bad.meteor.com can took that loginToken and simply login to kadira.meteor.com.

I didn't try this. This is possible right?

Emily Stark

unread,
Dec 4, 2014, 11:47:06 PM12/4/14
to meteo...@googlegroups.com
No, that's not possible. bad.meteor.com can't read cookies that are scoped to kadira.meteor.com. The problem is that bad.meteor.com can *set* cookies that get sent to kadira.meteor.com, so bad.meteor.com can inject data into James's kadira.meteor.com page. (But that can be fixed by my suggestion of checking that kadira.meteor.com's cookie hasn't been tampered with.)

Arunoda Susiripala

unread,
Dec 4, 2014, 11:52:57 PM12/4/14
to meteo...@googlegroups.com
Oh yes. my bad.
I'll implement this feature.  Thanks.

Arunoda Susiripala

unread,
Dec 6, 2014, 10:06:57 PM12/6/14
to meteo...@googlegroups.com
I've implemented the fix suggested by Emily.
It comes with Fast Render 2.1.0

with this it's okay to use Fast Render even with shared domains like *.meteor.com or *.herokuapp.com
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/meteor-talk/CACXRNDHvZS0N8c%3D8M%2BD6cjNyY2YzO9WrTnq9Pk-emrm%2Bb1tf%3Dw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages