Security: Fix critical global exposure vulnerability in WebRTC Manager

Browse Source

- Remove dangerous global window exposure of encryption keys and manager instance
- Replace window.webrtcManager/globalWebRTCManager with secure limited API
- Add window.secureBitChat with validated public methods only
- Implement automatic monitoring for unauthorized global exposure attempts
- Add security integrity checks and emergency shutdown capability
- Prevent access to sensitive data (encryption keys, session data, internal methods)
- Maintain full functionality while securing internal implementation

BREAKING CHANGE: window.webrtcManager is no longer available
MIGRATION: Use window.secureBitChat.sendMessage() instead of window.webrtcManager.sendMessage()

Security Impact: CRITICAL - Prevents XSS attacks from accessing encryption keys
Tested: All functionality preserved, file transfers working, connections stable

...

This commit is contained in:

lockbitchat

2025-08-20 23:04:29 -04:00

parent 241212a315

commit 73850f423c

1 changed files with 935 additions and 265 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

1200

src/network/EnhancedSecureWebRTCManager.js

File diff suppressed because it is too large Load Diff