-
-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API needs authentication or to stop using POST #137
Comments
We have CORS setup with flask_cors so this should not be possible. Line 80 in df76a77
Can you reproduce it with aw-server-rust as well? We are using rocket_cors in aw-server-rust, worked a few months ago at least. I'm unfortunately on vacation and dont have a laptop with me, so I can't reproduce ATM. |
Looking at that source file, I notice that the CORS headers are only configured for the That should probably be fixed. |
I don't see any fixable bug in CORS, and my report may have been misleading; what I'm reporting is that the lack of authentication means having correct CORS configuration does not block POST, and so authentication is needed. But I also might have misunderstood CORS. I'll double check on latest. |
No, I think you're right. I've thought through this before (a long time ago) and came to the conclusion it was not a (significant) issue, at the time. I still think there's not much of an issue in our case (except maybe a low-severity disk-spam/DoS vuln), but you are right: other origins can make cross-site POST requests, they just won't see the response. (https://security.stackexchange.com/questions/183981/why-dont-browsers-block-cross-site-posts-by-default) I'm sick right now, so don't have the brain power for security mindset. But we should look into if we can remedy this. (check Origin header server-side?) Thank you for raising this issue again, always appreciate an extra set of eyes on security. Edit: asked ChatGPT too just for reference. I think it covers the issue pretty well: https://chat.openai.com/share/2a9730d7-e762-4075-8b49-2c6ebc4a3d7b |
Arbitrary websites can request localhost urls unless they have the appropriate headers, and this only protects against some request types. Specifically, POST is not blocked by a lack of an
Access-Control-Allow-Origin
header. ActivityWatch does not appear to have one, so the browser should block requests from webpages loaded from remote urls.https://about.gitlab.com/blog/2021/09/07/why-are-developers-vulnerable-to-driveby-attacks/
The text was updated successfully, but these errors were encountered: