Api returning 403 on wrong referer #1521
Milestone
Comments
|
Yeah, this is incorrect. I have a fix in the works https://github.com/ipfs/go-ipfs/compare/cors-fix but it's not done yet. (anyone feel free to pick it up.) I'd like to rebase this on top of #1519 |
|
@mappum what was the problem with the referer? (does correct CORS take care of it?) cc @diasdavid |
|
i believe it's a CSRF that we were worried about: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_The_Referer_Header o/ says checking referer isnt so great. i think proper CORS fixes things |
|
addressed in #1529 |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the api browserify testsuite, i need to make api requests with referer set to localhost and some arbitrary port.
https://github.com/ipfs/go-ipfs/blob/master/commands/http/handler.go#L84
This however sends me a 403.
@jbenet i think this is the same issue you had with the federated wiki thing. I talked to @diasdavid and he suspected that this is outdated code since #1215 - could we simply remove this block?
The text was updated successfully, but these errors were encountered: