-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for CORS headers and pre-flight request #1603
Comments
I'm really nervous what the use-case for this is - it sounds like this involves opening the JSON-RPC port to the Internet, and letting websites use it, which to me is a massive attack surface you're potentially opening up. Generally you'd instead have a wrapping service over the RPC port, which would include input validation, rate limiting (i.e. to defend against DoS attacks), and restrict to expected commands, and that would be where CORS would go. |
That's why it's implemented in ABC (and I'm pretty sure like Eth or something else) with a |
The security risk is that if I CORS-allow Recommend implementing BIP-21 for this usecase instead. |
BIP-21 will handle sending, but not receiving. To detect incoming transactions, you still need a third-party service or an RPC proxy. And, as I said, any other software running on the client's computer that isn't a CORS-enabled browser is just as unsafe with or without the headers. Headers don't actually do any protecting themselves, that's the other software's job. Protecting requests like sendtoaddress should be part of the request or another previous validation's domain, not the domain of any and all of the user's installed web browsers or RPC-capable software. |
My problem with this solution is not the enabling of CORS headers in itself, I am very aware of the protection CORS does not bring. The problem is that there are insufficient security measures implemented on the RPC, specifically lacking 2 things right now: access levels and user confirmations. Right now, I wouldn't advice anyone to run a wallet and RPC on the same node as long as those 2 features aren't implemented. The browsers default CORS deny policy in case of missing headers is indeed a non-security-feature but allowing it to be changed increases the available attack vectors on an insecure implementation. If we want to bring any such feature forward, significant work on whatever interface we would expose is needed first. Think interaction between web3 and Metamask as a minimal requirement of what needs to be done: when connecting my wallet to a dapp, I have to confirm it. When my signature is needed, I at the very least need to press a button (in metamask, not the dapp) to give the dapp what it needs. And the thing that is not-so-good with Metamask: I cannot always establish who the request comes from; so some form of mutual authentication would not be a luxury. I hope that makes sense? |
In that case, would it not be allowable to make an |
I'd probably want to put it under a path that exclusively whitelists some calls, i.e. enable CORS on Which methods were you looking to expose? |
A subdirectory would make sense and probably not get in the way of any potential implementations that I can imagine. Just off the top of my head, I'd suggest Adding If you feel comfortable adding Account-related transactions as well, Since my goal is essentially just a javascript-based tipping system, I'd be able to accomplish both sending and receiving with |
I think realistically the best way to do this is to have a proxy over dogecoind, which handles authentication (as needed), verifies the request is sane, then relays it. Potentially even something like a PHP script to parse then re-create the request. Exposing dogecoind directly to the Internet just feels extremely risky that someone would find a buffer overflow or other attack via the JSON-RPC system, which was definitely not intended to be exposed. |
CORS is not a firewall. It doesn't protect or expose anything. It's an etiquette between good servers and good clients. It does nothing to stop bad clients. |
@RealityRipple thank you for bringing this up. There is now a Discussion section where you can raise technical discussions such as this, that merit thought and time, to be discussed by the community. I will close this issue as this belongs in the discussion section. |
Hi, I know this issue is closed long time back. But I have a question regarding cors issue I am facing. I am getting
In configuration files, I didn't find any CORS related flag. Could anyone help me with same? |
Any chance for OPTIONS support and CORS headers to allow cross-origin RPC requests? BitcoinABC implemented it wonderfully last year.
The text was updated successfully, but these errors were encountered: