New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature request: support for CORS #4850
Comments
There are some serious security issues with enabling Javascript access to local print servers, which is why access is locked down as tightly as it is (to address known attack vectors) and why we no longer listen on localhost by default. I'll keep this issue open for now, but I am not comfortable with enabling direct access to CUPS from arbitrary web pages. |
CORS support should not be enabled by default, only by configuration I agree with your attack vector considerations.
• CORS Flowchart: http://www.html5rocks.com/static/images/cors_server_flowchart.png |
I like to share my opinion from a Linux distributor's point of view I am not comfortable with enabling any access I am not comfortable with not thoroughly verified The borderline between secure and insecure is often I do not know what is meant in #4850 (comment) E.g. CUPS device URIs on a CUPS server that point to lpstat -h cups-server.domain -v And CUPS device URIs that point to print queues on a ipp://cups-server.domain/printers/queue_name and in general CUPS queue names are not a secret. |
Jsmeix, your concern is covered by the use case "share printer: yes/no". Even with printer sharing enabled no browser supports executing commands like HTTP headers are produced by all CUPS installations. CUPS is the reference implementation for IPP which is based on HTTP. Any IPP client can connect to CUPS from anywhere as long as it is configured for remote access. Because JavaScript engines of browsers run in a sandbox we need this feature. If JavaScript code wants to connect to another server the engine first asks the other server if that's okay. This is what CORS is about. We're talking just about one single extra optional header value that would make cumbersome workarounds like using nginx obsolete. |
Onesail, the issue (and the reason why CUPS has so many remote access protections) is that while the Javascript execution environment is often a pretty tight sandbox, there are a LOT of vulnerabilities there (every security conference exposes new ones) and opening a HTML file or web page can result in arbitrary code being executed with no feedback to the user. So we won't be enabling this by default, if we support it at all... |
We've decided not to support this. |
Doesn't IPP support authentication and TLS encryption that could mitigate these security concerns? |
A workaround for this issue should be to fulfil the CORS requirements by letting CUPS deliver the 'risky' javascript files. This way the javascript code should be allowed to connect to it's own host. The DocumentRoot is usually
see also williamkapke/ipp#3 |
@michaelrsweet Any chance for revisiting this in 2021? It would really simplify things for users of SaaS applications served through the browser that need to print documents if some sort of CORs configuration could be enabled via CUPs. As it stands, the printer must be exposed (hopefully securely) over the internet instead of just the LAN. This seems worse than exposing CORs to the LAN. Considering most people cannot configure a router, it is unlikely that the average person working from home is sharing their printer over the internet securely... Being able to point and click that "fancyprintjobs.example.com" should be allowed to print via the browser could only be a good thing here |
@thenewguy If this was ever supported, it will be in OpenPrinting CUPS and definitely not in Apple CUPS (which is firmly in maintenance mode now...) |
Linking related issue OpenPrinting/cups#266 |
Currently JavaScript clients can not directly connect to CUPS.
If CUPS produced a valid CORS header JavaScript clients could print to or query CUPS.
So far it's common practice to have some kind of forwarding component involved.
in cupsd.conf add:
EnableCORS *
should make CUPS produce HTTP responses with header
Access-Control-Allow-Origin: *
NB:
I added this line in the Location section of cupd.conf
Header set Access-Control-Allow-Origin "*"
but it looks like mod_header ist not supported by CUPS:
E [04/Jul/2016:19:36:52 +0200] Unknown Location directive Header on line 15.
IPP for node.js / javascript currently does not work in browsers
see also: williamkapke/ipp#3
The text was updated successfully, but these errors were encountered: