Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for CORS headers and pre-flight request #1603

Open
RealityRipple opened this issue Aug 3, 2019 · 2 comments

Comments

@RealityRipple
Copy link

commented Aug 3, 2019

Any chance for OPTIONS support and CORS headers to allow cross-origin RPC requests? BitcoinABC implemented it wonderfully last year.

@rnicoll

This comment has been minimized.

Copy link
Member

commented Aug 5, 2019

I'm really nervous what the use-case for this is - it sounds like this involves opening the JSON-RPC port to the Internet, and letting websites use it, which to me is a massive attack surface you're potentially opening up.

Generally you'd instead have a wrapping service over the RPC port, which would include input validation, rate limiting (i.e. to defend against DoS attacks), and restrict to expected commands, and that would be where CORS would go.

@RealityRipple

This comment has been minimized.

Copy link
Author

commented Aug 6, 2019

I'm really nervous what the use-case for this is - it sounds like this involves opening the JSON-RPC port to the Internet, and letting websites use it, which to me is a massive attack surface you're potentially opening up.

Generally you'd instead have a wrapping service over the RPC port, which would include input validation, rate limiting (i.e. to defend against DoS attacks), and restrict to expected commands, and that would be where CORS would go.

That's why it's implemented in ABC (and I'm pretty sure like Eth or something else) with a rpccorsdomain preference/command line option, with the default being that OPTIONS and CORS are not sent with RPC requests. My personal implentation hope is to allow users to use their running node to send and receive Dogecoin tips rather than an API website. Everything is over JS, so the rpccorsdomain would have to be set to null for local computer access, and the request would not necessarily be over the internet or even a LAN, though it easily could be with the right settings, but that should be up to the user, not the developer.
Asking a user to install a proxy client for this purpose seems... unfriendly at the very least. Just setting a command line or pref is much easier on the user, and having it default to undefined should prevent any security risks by users that don't understand the potential danger. As long as no one sets rpccorsdomain=* (which would be incredibly irresponsible), I don't see that the risk of trouble would be all that high. And it's not like CORS actually protects anyone from malicious attacks - the security element is implemented by the browser, not the server, so if someone just wrote their own RPC connection client, they'd easily ignore all the CORS stuff and the RPC server would be vulnerable anyway. All a lack of CORS-support does is obfuscate and limit usability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.