Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Reclaim Protocol>Low findings>Cross-site scripting via ignored content-disposition header
GeneralOverview
Findings
Critical (4)
High (2)
Medium (5)
Low (6)XSS via ignored content-disposition headerAddress bar not updated before page loadImproper TLS certificate parsingImproper host validation in QR-code proof requestProduction credentials in Git source repositoriesLack of sufficient claim-parameter validation
Informational (2)
DiscussionSpoofing risk via website data format instabilitySpoofing risk via insecure contains/RegEx checksSensitive data exposure riskUser-phishing riskLack of `postMessage` origin validationProxy/scraping service usageNode centralization risk
Audit ResultsSummary
Category: Coding Mistakes

Cross-site scripting via ignored content-disposition header

Low Severity
Low Impact
High Likelihood

Description

The Reclaim app WebView ignores the content-disposition HTTP header on responses. Many websites serve potentially untrusted files using the content-disposition: attachment header to trigger a download rather than rendering the content in the browser. By ignoring this header, the Reclaim WebView may be vulnerable to cross-site scripting attacks on some websites.

Impact

An attacker can compromise the integrity and confidentiality of user data on any website that serves untrusted file downloads with the content-disposition: attachment header.

Recommendations

The Reclaim WebView should fail to navigate to any URL that responds with the content-disposition: attachment header.

Remediation

CreatorOS Inc provided the following response:

Since the severity of the issue is low and due to some limitations, Reclaim Protocol will leave this fix for future work.

Zellic © 2025Back to top ↑