Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CORS Support #1529

Merged
merged 6 commits into from
Jul 29, 2015
Merged

Fix CORS Support #1529

merged 6 commits into from
Jul 29, 2015

Conversation

jbenet
Copy link
Member

@jbenet jbenet commented Jul 28, 2015

This PR

  • Fixes CORS bugs
  • Improves support for CORS options
  • Removes Referrer Checking
  • Defaults to localhost/127.0.0.1 CORS Origins
  • Allows Setting arbitrary HTTP headers on API responses

@jbenet
Copy link
Member Author

jbenet commented Jul 28, 2015

@whyrusleeping @cryptix PTAL

@jbenet jbenet added this to the IPFS 0.3.6 milestone Jul 28, 2015

func skipAPIHeader(h string) bool {
switch h {
default:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seeing default first and implicit continues always weirds me out in the logic. maybe:

switch h{
    case "Access-Control-Allow-Origin":
       return true
    case "Access-Control-Allow-Methods":
       return true
    case "Access-Control-Allow-Credentials":
       return true
    default:
        return false
}

just to be explicit?

@whyrusleeping
Copy link
Member

LGTM

jbenet added a commit that referenced this pull request Jul 28, 2015
jbenet added a commit that referenced this pull request Jul 28, 2015
@mappum
Copy link
Contributor

mappum commented Jul 28, 2015

CORS headers do not prevent CSRF attacks, so this doesn't restore the security of #1521. Here is an attack example, if your daemon is on this branch then visiting the page will pin something to your node: http://localhost:8080/ipfs/QmYeRGr8PY3yigx2aTvK8B9e4HVUy3h4b2r3tsZHaYBduD

(Note that the attack can come from any website you visit, it doesn't have to be an IPFS-hosted page).

Pinning arbitrary things is only a sort-of scary attack, but more critical attacks could be possible too (e.g. making someone publish the attacker's hash for their IPNS names).

@jbenet
Copy link
Member Author

jbenet commented Jul 28, 2015

@mappum QmYeRGr8PY3yigx2aTvK8B9e4HVUy3h4b2r3tsZHaYBduD is not resolving -- pin on irc?

@daviddias
Copy link
Member

@mappum To prevent CSRF, we should have some kind of token (a CSRF token of a JSON WebToken), blocking by referer header doesn't make it impenetrable and it can be annoying for web app devs.

@jbenet
Copy link
Member Author

jbenet commented Jul 28, 2015

+1 for token, though it can also be annoying in its own right.

maybe:

var ipfs = ipfsApi(...)

could get the token async? not sure.

@mappum and @diasdavid would you discuss and decide? you know more about all the constraints than me

@jbenet
Copy link
Member Author

jbenet commented Jul 28, 2015

I would really like to fix + merge this so we can release 0.3.6 soon-- it has lots of important bugfixes.

@jbenet jbenet mentioned this pull request Jul 29, 2015
jbenet added 6 commits July 28, 2015 23:08
This commit fixes + improves CORS support

License: MIT
Signed-off-by: Juan Batiz-Benet <[email protected]>
it used to be here for a CSRF check. but we now have CORS checks.

License: MIT
Signed-off-by: Juan Batiz-Benet <[email protected]>
this commit adds the ability to specify arbitrary HTTP headers
for either the Gateway or the API. simply set the desired headers
on the config:

    ipfs config --json API.HTTPHeaders.X-MyHdr '["meow :)"]'
    ipfs config --json Gateway.HTTPHeaders.X-MyHdr '["meow :)"]'

License: MIT
Signed-off-by: Juan Batiz-Benet <[email protected]>
this commit makes the API handler short circuit the request if the
CORS headers say its not allowed. (the CORS handler only sets the
headers, but does not short-circuit)

It also makes the handler respect the referer again. See security
discussion at #1532

License: MIT
Signed-off-by: Juan Batiz-Benet <[email protected]>
this commit introduces more serious CORS tests that check
status response codes, and run real HTTP requests.

License: MIT
Signed-off-by: Juan Batiz-Benet <[email protected]>
@jbenet
Copy link
Member Author

jbenet commented Jul 29, 2015

aaaand done.

jbenet added a commit that referenced this pull request Jul 29, 2015
@jbenet jbenet merged commit 9e4d6e1 into master Jul 29, 2015
@jbenet jbenet removed the status/in-progress In progress label Jul 29, 2015
@jbenet jbenet deleted the cors-fix branch July 29, 2015 06:34
@jbenet jbenet mentioned this pull request Aug 3, 2015
35 tasks
kbala444 pushed a commit to kbala444/go-ipfs that referenced this pull request Aug 15, 2015
keks pushed a commit to ipfs/go-ipfs-cmds that referenced this pull request Jan 28, 2017
hacdias pushed a commit to ipfs/boxo that referenced this pull request Jan 27, 2023
Fix CORS Support

This commit was moved from ipfs/kubo@9e4d6e1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants