Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS issues #1944

Closed
adamamyl opened this issue Sep 22, 2014 · 2 comments
Closed

CORS issues #1944

adamamyl opened this issue Sep 22, 2014 · 2 comments
Assignees
@brew
Milestone
CKAN 2.3

Comments

@adamamyl
Copy link
Contributor

The API application running on the server was implementing an HTML5 cross-origin resource sharing (CORS) policy which allowed access from any domain. Allowing access from all domains means that any domain can perform two-way interaction with the application via requests sent to this server. Unless the response consists only of unprotected public content, this policy is likely to present a security risk.

Suggested fix

It is recommended that the domains which are allowed by the CORS policy in relation to any sensitive content within the application should be reviewed, and that it should be determined whether it is appropriate for the application to trust both the intentions and security posture of those domains.

Related tickets

#1000

(2.3 : can't add labels here)
(origin: pentest)
@amercader
Copy link
Member

Relevant code: https://github.com/ckan/ckan/blob/master/ckan/lib/base.py#L378

@amercader
Copy link
Member

Restrict via config options. Inactivate by default on 2.3

@amercader amercader self-assigned this Oct 2, 2014
@joetsoi joetsoi assigned adamamyl and unassigned amercader Oct 2, 2014
@amercader amercader added this to the CKAN 2.3 milestone Oct 22, 2014
@amercader amercader assigned brew and unassigned adamamyl Oct 23, 2014
brew added a commit to brew/ckan that referenced this issue Oct 27, 2014
@brew
[ckan#1944] Allow CORS settings in config.
162d371 
New config settings:
ckan.cors.origin_allow_all = <true|false>
ckan.cors.origin_whitelist = <space separated list of allowable domain origins>

Access-Control-Allow headers will only be set in the response if the
request contains an Origin header, the origin_allow_all setting is
present, and either:

a) the origin_allow_all setting is true, or
b) the request origin is listed in the origin_whitelist setting
@brew brew mentioned this issue Oct 27, 2014
Merged
brew added a commit to brew/ckan that referenced this issue Oct 28, 2014
@brew
[ckan#1944] CORS config docs
5919e43
brew added a commit to brew/ckan that referenced this issue Oct 28, 2014
@brew
[ckan#1944] Add CORS changes to CHANGELOG
78a331a
brew added a commit to brew/ckan that referenced this issue Oct 28, 2014
@brew
[ckan#1944] Add CORS settings to deployment template.
0d97844 
These are commented out by default.
@brew brew closed this as completed Nov 4, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brew brew

Labels
None yet
Projects
None yet
Milestone
CKAN 2.3
Development

No branches or pull requests
3 participants
@brew @adamamyl @amercader