Chat is a very important part of a community. Some of the features chat provides include: Quick communication between users
Direct access to support staff to resolve issues
A way for users to meet other users outside of the site
A way for users to post announcements to help other users
Chat was previously unsafe and could be used to attack Discourse with XSS. In version 0.9, chat has been made safe by creating an additional barrier between the chat code and the rest of the site. It is now impossible for an attacker to inject unsafe code into a Discourse chat room.
How to Stay Safe While Using Discourse Chat
There are a couple of steps you can take to stay safe on Discourse chat.
First, make sure that your browser is up-to-date and has the latest security patches installed. Second, use an HTTPS URL when connecting to Discourse chat from a browser. This will encrypt your communication so that it cannot be accessed by third parties. Finally, if you are using an older version of Chrome, you should update to the latest version as soon as possible.
XSS protection in chat
As of version 0.9, it is impossible for an attacker to inject unsafe code into a Discourse chat room. Previously, attackers could inject XSS (Cross Site Scripting) into a chat room through the "chat" function. This was possible because the chat code was directly written in the website's source code. With 0.9, the chat code was moved to a separate module that wasn't required by the rest of the site and thus couldn't be directly accessed by other parts of Discourse. This prevents developers from injection vulnerabilities on this part of the site.
How Discourse Chat Works
Discourse chat works by creating a new room for each user that is not on the site. The chat room is then hosted in a separate environment and cannot be accessed from the main site. There are different settings that can be configured, including: Who sees a message
The duration of messages
Who can post to the chat
How did Discourse protect chat?
Discourse uses a front-end application called "Chat" to allow users to communicate with one another. The issue was that Discourse, like all web applications, allowed people to inject unsafe code into their sites through the use of a vulnerability called XSS (Cross Site Scripting). Previously, it was possible for an attacker to inject XSS into a Discourse chat room and then execute any malicious code they wanted. This vulnerability in Discourse provided the attacker a way of accessing sensitive information about Discourse users and also allowed them to control how users interacted with each other.
In order to fix this issue, Discourse created an additional barrier between the chat code and the rest of the site which has made it impossible for an attacker to inject unsafe code into a chat room. Now, even if someone did manage to get this done and gain access to your account they would be unable to interact with other people or send messages. This version is now safe and secure so that only you can communicate within it.
Timeline
Published on: 10/06/2022 20:15:00 UTC
Last modified on: 10/11/2022 14:50:00 UTC