blockstack-browser 正在参加 2021 年度 OSC 中国开源项目评选,请投票支持!
blockstack-browser 在 2021 年度 OSC 中国开源项目评选 中已获得 {{ projectVoteCount }} 票,请投票支持!
2021 年度 OSC 中国开源项目评选 正在火热进行中,快来投票支持你喜欢的开源项目!
2021 年度 OSC 中国开源项目评选 >>> 中场回顾
blockstack-browser 获得 2021 年度 OSC 中国开源项目评选「最佳人气项目」 !
授权协议 MPL-2.0 License
开发语言 JavaScript
操作系统 跨平台
软件类型 开源软件
所属分类 大数据数据存储
地区 不详
投 递 者 首席测试
适用人群 未知
收录时间 2021-11-30


Blockstack Browser CircleCI branch BrowserStack Status License Slack

The Blockstack Browser allows you to explore the Blockstack internet.

⚠️ IMPORTANT: This project has been deprecated in favor of the Blockstack App. It will receive only critical updates by Blockstack PBC going forward.

Table of contents


Download the latest release



Please note these instructions have only been tested on macOS 10.13

  1. Download and install the latest release of Blockstack for Mac.
  2. Start Blockstack
  3. Option-click the Blockstack menu bar item and select "Enable Development Mode"
  4. Clone this repo: git clone
  5. Install node dependencies: npm install
  6. Run npm run dev


  1. Clone this repo: git clone
  2. Install node dependencies: npm install
  3. Run npm run dev

Note: npm dev runs a BrowserSync process that watches the assets in /app, then builds them and places them in /build, and in turn serves them up on port 3000. When changes are made to the original files, they are rebuilt and re-synced to the browser frames you have open.


Common problems and solutions:

  • The sign-in page does not load: These instructions run the Browser in development mode, which uses a different port (3000) than the production mode (8888). However, existing applications will direct you to http://localhost:8888 on sign-in. You will need to manually edit the URL to change 8888 to 3000 and refresh the page.

  • The sign-in page does not load with localhost:3000: If you have taken the above step and the page still does not load, check your auth= query parameter. If it starts with any number of / characters, remove them and reload the page. For example, if your auth= query looks like auth=///abcdef..., then you will need to change it to auth=abcdef....

Building for macOS

  1. Make sure you have a working installation of Xcode >=9 and Node.js >=10.
  2. Run npm run mac:release:dev to build an unsigned application bundle.
  3. The output bundle is located at native/macos/export/

Note: This has only been tested on macOS High Sierra 10.13

Building a macOS release for distribution

  1. Ensure you have valid Developer ID signing credentials in your Keychain. (See for more information)
  2. Open the Blockstack macOS project in Xcode and configure your code signing development team (You only need to do this once)
  3. Make sure you have an OpenSSL ready for bottling by homebrew by running brew install openssl --build-bottle
  4. Open the Blockstack macOS project in Xcode.
  5. Select the Product menu and click Archive.
  6. When the archive build completes, the Organizer window will open. Select your new build.
  7. Click "Export..."
  8. Click "Export a Developer ID-signed Application"
  9. Choose the development team with the Developer ID you'd like to use to sign the application.
  10. Click "Export" and select the location to which you would like to save the signed build.

Building for Windows


Run npm run win32.

This will:

  • Run the webpack build.
  • Setup the resources used by msbuild and the WiX msi project.
  • Run msbuild to compile the native app and create the msi installation file.

The output file can be found at native\windows\BlockstackSetup\bin\Release\en-us\BlockstackSetup.msi.

This does not perform any code or installer file signing.

Building for the Web

  1. Make sure you've cloned the repo and installed all npm assets (as shown above)
  2. Run npm run web

Building for Linux (dpkg)

  1. Install fpm
  2. Run ./native/linux/
  3. A .deb package will be placed in ./native/linux/dist/


We do project-wide sprints every two weeks and we're always looking for more help.

If you'd like to contribute, head to the contributing guidelines. Inside you'll find directions for opening issues, coding standards, and notes on development.


The Browser uses log4js for logging. The macOS app uses macOS's unified logging API, os_log for logging.


On macOS, the Browser sends log events to the macOS app's log server. These are then included in macOS's unified logging API. You can view logs by starting

To see only Blockstack process logs, filter by process by typing process: Blockstack in the search box. You can also filter for only log entries proactively generated by the BLockstack project using this query: subsystem:org.blockstack.portal subsystem:org.blockstack.core subsystem:org.blockstack.mac If you'd like to see more detail, enable the inclusion of Info and Debug messages in the Action menu. Please note that in our experience, doesn't always show debug messages in real time and only shows them when doing a log dump as described below.

Sending logs to developers

Blockstack logs are included in macOS's unified logging system. This allows us to easily collect a large amount of information about the user's system when we need to troubleshoot a problem while protecting their privacy.

  1. Press Shift-Control-Option-Command-Period. Your screen will briefly flash.
  2. After a few minutes, a Finder window will automatically open to /private/var/tmp
  3. Send the most recent sysdiagnose_DATE_TIME.tar.gz file to your friendly developers.

The most important file in this archive is system_logs.logarchive, which will include recent system logs including Blockstack's logs. You can open it on a Mac using The other files include information about your computer that may help in diagnosing problems.

If you're worried about inadvertently sending some private information, you can select the log entries you'd like to send inside and copy them into an email or github issue. To help us debug your problem, we ask that at a minimum you enable Info and Debug messages and filter by process: Blockstack.

More technical users (with admin permission) can use the sysdiagnose command to generate a custom dump of information.

Tech Stack

This app uses the latest versions of the following libraries:

And a few other smaller modules (these can be found in package.json).


This repository is maintained by


Run all tests in the test/ directory with the npm run test command. A single file can be run by specifing an -f flag: npm run test <PATH_TO_TEST_FILE>.

Note: When running tests, code coverage will be automatically calculated and output to an HTML file using the Istanbul library. These files can be seen in the generated __coverage__/ directory.

App Development

Run the browser in the Blockstack Test Environment

When developing apps, the browser can be run in a Docker test environment that is backed by the regtest bitcoin network, hence no real money involved.

Note: The Dockerfile creates an image that release on AMD64 architecture.

The easiest way to get that setup is through Docker containers for the api, the browser and the cors-proxy. There is a docker-compose.yaml file published in the Blockstack todo app repo that does this. To use it, first install Docker and stop any running Blockstack applications (blockstack-browser or blockstack api) then:

$ docker-compose up -d

This brings up

  • A blockstack-core api node that is backed

    • by a bitcoind instance running regtest and
    • by a blockstack-core node built from the test chain.

    The initialization script generates 50 BTCs for the core wallet.

  • a blockstack-browser node. It uses bitcoin addresses that are mapped to regtest bitcoin addresses.

  • a cors-proxy to bypass origin policy issues.

The easiest way to work with this setup is in Incognito mode in your browser. Once the images have been pulled down and the containers are started you can open http://localhost:8888.

Choose the Advanced Mode setup and enter the API Password as blockstack_integration_test_api_password

Common Tasks

  • You can send bitcoins from the core wallet to the browser wallet by opening the hidden url http://localhost:8888/wallet/send-core

  • You can inspect the mapped bitcoin addresses from the browser node to the regtest address by looking into the log file of the api node (execute bash in the api container and look at /tmp/blockstack-run-scenario.blockstack_integration_tests.scenarios.portal_test_env/client/api_endpoint.log).

  • You can inspect the api password by looking into the client.ini file of the api node (execute bash in the api container and look at /tmp/blockstack-run-scenario.blockstack_integration_tests.scenarios.portal_test_env/client/client.ini)

  • You can verify the blockstack version of the api node by running curl localhost:6270/v1/node/ping




点击引领话题📣 发布并加入讨论🔥
{{o.pubDate | formatDate}}


{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
{{o.pubDate | formatDate}}


{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
serialize-javascript < 2.1.2 跨站脚本漏洞
serialize-javascript是一款支持将JavaScript序列化为 JSON超集的软件包。 serialize-javascript 2.1.1之前版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行js代码。
CVE-2019-16769 MPS-2019-15864
2023-12-20 19:27
kind-of 存在注入漏洞
kind-of是一款JavaScript类型检查软件包。 kind-of受影响版本存在验证绕过漏洞。它利用不安全的用户输入的内置构造函数来检测类型信息。恶意的有效负载可以覆盖这个内置属性,以操纵类型检测结果。
CVE-2019-20149 MPS-2019-17164
2023-12-20 19:27
SockJS <0.3.20 异常处理不当漏洞
sockjs 是一个 JavaScript 库(用于浏览器),它提供了一个类似 WebSocket 的对象。 SockJS 0.3.20之前版本中存在异常处理不当漏洞,该漏洞源于程序没有正确处理Upgrade标头,错误处理带有值 websocket 的升级标头会导致托管 sockjs 应用程序的容器崩溃。
CVE-2020-7693 MPS-2020-10001
2023-12-20 19:27
schema-inspector 安全漏洞
schema-inspector 1.6.9之前版本中存在安全漏洞。攻击者可通过制作恶意的JavaScript对象利用该漏洞绕过schema-inspector中使用的sanitize()和validate()函数。
CVE-2019-10781 MPS-2020-1046
2023-12-20 19:27
Ajv v6.12.2 输入验证错误漏洞
Ajv 是另一个 JSON 模式验证器。 Ajv 6.12.2 版本存在动态确定的对象属性的不当控制修改漏洞,其中ajv.validate()函数对输入验证不严谨。攻击者可利用该漏洞提供一个精心设计的 JSON 模式,通过原型污染执行其他代码,进而执行代码或造成拒绝服务。
CVE-2020-15366 MPS-2020-10525
2023-12-20 19:27
property-expr 输入验证错误漏洞
property-expr 2.0.3之前版本中存在原型污染漏洞。目前尚无此漏洞的相关信息,请随时关注CNNVD或厂商公告。
CVE-2020-7707 MPS-2020-11771
2023-12-20 19:27
node-forge <0.10.0 对象属性的不当控制修改漏洞
node-forge 是网络传输、密码学、密码、PKI、消息摘要和各种实用程序的 JavaScript 实现。 node-forge 的受影响版本容易通过该util.setPath函数受到原型污染。攻击者可以利用此漏洞修改原型属性,从而造成拒绝服务。
CVE-2020-7720 MPS-2020-12281
2023-12-20 19:27
npm node-fetch 不加限制的资源分配漏洞
node-fetch 是一个轻量级模块,它将 window.fetch 引入 node.js node-fetch 2.6.1和3.0.0-beta版本中存在安全漏洞。该漏洞源于内容大小超过限制时,将永远不会抛出FetchError。攻击者可利用此漏洞造成拒绝服务。
CVE-2020-15168 MPS-2020-12719
2023-12-20 19:27
ua-parser-js <0.7.22 正则表达式拒绝服务漏洞
ua-parser-js 是基于JavaScript的User-Agent字符串解析器。 ua-parser-js 的受影响版本中解析 Redmi 手机和 Mi Pad Tablets UA 的正则表达式正则表达式时存在拒绝服务漏洞,攻击者可利用该漏洞进行ReDoS攻击,从而造成服务瘫痪。
CVE-2020-7733 MPS-2020-13044
2023-12-20 19:27
pathval <1.1.1 原型污染漏洞
pathval 是Chai.js团队的一个用于基于 String 字符串来检索和设置对象的 Npm 代码库。 pathval 1.1.1之前版本存在原型污染漏洞。攻击者可以通过setPathValue函数对js原型对象进行修改,从而造成拒绝服务或远程代码执行。
CVE-2020-7751 MPS-2020-15246
2023-12-20 19:27
lodash <4.17.15 原型污染漏洞
lodash是一款开源的JavaScript实用程序库。 lodash 4.17.15及之前版本中存在输入验证错误漏洞。远程攻击者可通过 zipObjectDeep 修改对象原型的属性,在系统上执行任意代码。
CVE-2020-8203 MPS-2020-15679
2023-12-20 19:27
ua-parser-js DOS漏洞
ua-parser-js是基于JavaScript的User-Agent字符串解析器。可以在浏览器(客户端)或node.js(服务器端)环境中使用。也可以作为jQuery / Zepto插件,Bower / Meteor软件包和RequireJS / AMD模块使用。 ua-parser-js 0.7.23 之前版本存在安全漏洞,该漏洞源于ue -parser-js很容易受到正则表达式在多个正则表达式中的拒绝服务(ReDoS)的攻击。 攻击者可利用该漏洞使目标服务停止响应甚至崩溃。
CVE-2020-7793 MPS-2020-17428
2023-12-20 19:27
Yargs Y18n 输入原型污染漏洞
Yargs Y18n 是一个由JavaScript编写的类似 I18n 的代码库。 受影响版本中由于 Y18N 类处理语言文件时没有进行适当的清理,攻击者可通过 setLocale 函数修改对象原型的属性,远程执行恶意代码。
CVE-2020-7774 MPS-2020-17543
2023-12-20 19:27
Ini <1.3.6原型污染漏洞
ini是一个用于Node的ini编码器/解码器。 该包的受影响版本存在原型污染漏洞。如果攻击者向使用ini.parse解析的应用程序提交恶意的INI文件,则会污染应用程序上的原型,攻击者可利用该漏洞执行恶意Javascript代码。
CVE-2020-7788 MPS-2020-17544
2023-12-20 19:27
minimist 原型污染漏洞
minimist是一款命令行参数解析工具。 minimist 1.2.2之前版本存在输入原型污染漏洞。 攻击者可借助 constructor 和 __proto__ 向 JavaScript 语言构造(例如对象)添加任意属性,通过覆盖原型对象的属性方法可能造成拒绝服务和远程代码执行的危害。
CVE-2020-7598 MPS-2020-3516
2023-12-20 19:27
yargs-parser 原型污染漏洞
yargs-parser是一个npm选项解析器。 yargs-parser 13.1.2之前版本、14.0.0及之后版本(15.0.1版本已修复)和16.0.0及之后版本(18.1.1版本已修复)中存在原型污染漏洞。 攻击者可以向 JavaScript 语言构造(例如对象)添加任意属性,通过覆盖原型对象的属性方法可能造成拒绝服务和远程代码执行的危害。
CVE-2020-7608 MPS-2020-4006
2023-12-20 19:27
decompress package 路径遍历漏洞
decompress package是一款解压缩软件包。 decompress package 4.2.1之前版本(Node.js)中存在路径遍历漏洞。攻击者可借助 ../ 字符串或软链接文件利用该漏洞写入任意文件。
CVE-2020-12265 MPS-2020-6640
2023-12-20 19:27
serialize-javascript <3.1.0 任意代码执行漏洞
Verizon serialize-javascript是美国威瑞森电信(Verizon)公司的一款支持将JavaScript序列化为 JSON超集的软件包。 serialize-javascript 3.1.0之前版本中存在任意代码执行漏洞。 漏洞源于serialize-javascript序列化时,对象{"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"}被序列化为{"foo": /1"/, "bar": "a\/1"/},UID 在启动时生成一次,这意味着如果攻击者可以同时控制bar,foo的输入并且猜测到 <UID> 的值,进而从bar中的检测中逃逸,注入任意代码。 远程攻击者可利用该漏洞注入任意代码。
CVE-2020-7660 MPS-2020-7976
2023-12-20 19:27
websocket-extensions<0.1.4 正则表达式拒绝服务漏洞
websocket-extensions是一款开源的WebSocket通用扩展管理器。 websocket-extensions(npm)1.0.4之前版本中在解析包含未闭合字符串参数值的标头时可能会花费指数级时间从而存在正则表达式拒绝服务漏洞。攻击者可借助Sec-WebSocket-Extensions标头利用该漏洞造成拒绝服务。
CVE-2020-7662 MPS-2020-8041
2023-12-20 19:27
websocket-extensions 拒绝服务漏洞
websocket-extensions是一款开源的WebSocket通用扩展管理器。 ruby语言的websocket-extensions 0.1.5之前版本和js语言的websocket-extensions 0.1.4之前版本的中存在正则表达式拒绝服务漏洞。攻击者可借助恶意的payload利用该漏洞造成拒绝服务。
CVE-2020-7663 MPS-2020-8042
2023-12-20 19:27
0 评论
0 收藏