fix: secure WebVNC browser handoffs#1024
Conversation
|
Codex review: found issues before merge. Reviewed July 9, 2026, 3:25 AM ET / 07:25 UTC. Summary Reproducibility: not applicable. as a conventional bug reproduction: this is a security-hardening PR. Source inspection confirms current main still creates username/password fragments, and the PR body provides live WebVNC proof for the changed behavior. Review metrics: 2 noteworthy metrics.
Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Risk before merge
Maintainer options:
Next step before merge
Maintainer decision needed
Security Review findings
Review detailsBest possible solution: Land the URL-fragment hardening after maintainer acceptance of the handoff storage boundary and removal of the release-owned CHANGELOG.md entry, while tracking plaintext-at-rest storage separately in #969. Do we have a high-confidence way to reproduce the issue? Not applicable as a conventional bug reproduction: this is a security-hardening PR. Source inspection confirms current main still creates username/password fragments, and the PR body provides live WebVNC proof for the changed behavior. Is this the best way to solve the issue? Unclear pending maintainer security intent: one-use tickets are a narrow fix for URL fragments, but reusing plaintext Durable Object handoff records for CLI credentials should be explicitly accepted or redesigned first. Full review comments:
Overall correctness: patch is correct AGENTS.md: found, but no applicable review policy affected this item. Codex review notes: model internal, reasoning high; reviewed against 2a0120722173. Label changesLabel changes:
Label justifications:
Evidence reviewedSecurity concerns:
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
Summary
Verification
go test -race ./...go vet ./...npm run format:check --prefix workernpm run lint --prefix workernpm run check --prefix workernpm test --prefix workernpm run build --prefix workernpm run build:node --prefix workerLive proof
local-containercbx_a8378a283279webvnc --open --take-control: connected viewer; no username, password, or handoff remained in the Chrome URL404, first correct redemption200, replay401