Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Settings Origin header acts as a strict requirement #2153

Closed
travisperson opened this issue Jan 3, 2016 · 2 comments
Closed

Settings Origin header acts as a strict requirement #2153

travisperson opened this issue Jan 3, 2016 · 2 comments

Comments

@travisperson
Copy link
Member

After setting ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["http://localhost:3000"]' requests made via port 5001 in a browser are no longer allowed.

This is only really noticeable in the WebUI (any browser really) as the browser sets a Referer header on every request.

All looks good

~ $ curl 'http://localhost:5001/api/v0/version' -H 'Referer: http://localhost:5001'
{"Version":"0.4.0-dev","Commit":"9e9aa4c","Repo":"3"}
~ $ curl 'http://localhost:5001/api/v0/version' -H 'Origin: http://localhost:5001'
{"Version":"0.4.0-dev","Commit":"9e9aa4c","Repo":"3"}

Update Origin

~ $ ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["http://localhost:3000"]'

Config changes don't appears to take effect yet

~ $ curl 'http://localhost:5001/api/v0/version' -H 'Referer: http://localhost:5001'
{"Version":"0.4.0-dev","Commit":"9e9aa4c","Repo":"3"}
~ $ curl 'http://localhost:5001/api/v0/version' -H 'Origin: http://localhost:5001'
{"Version":"0.4.0-dev","Commit":"9e9aa4c","Repo":"3"}
~ $ curl 'http://localhost:5001/api/v0/version'
{"Version":"0.4.0-dev","Commit":"9e9aa4c","Repo":"3"}
~ $ curl 'http://localhost:5001/api/v0/version' -H 'Referer: http://localhost:3000'
403 - Forbidden
~ $ curl 'http://localhost:5001/api/v0/version' -H 'Origin: http://localhost:3000'
403 - Forbidden

Restarted IPFS Daemon

~ $ curl 'http://localhost:5001/api/v0/version' -H 'Referer: http://localhost:5001'
403 - Forbidden
~ $ curl 'http://localhost:5001/api/v0/version' -H 'Origin: http://localhost:5001'
403 - Forbidden

With port 3000

~ $ curl 'http://localhost:5001/api/v0/version' -H 'Referer: http://localhost:3000'
{"Version":"0.4.0-dev","Commit":"9e9aa4c","Repo":"3"}
~ $ curl 'http://localhost:5001/api/v0/version' -H 'Origin: http://localhost:3000'
{"Version":"0.4.0-dev","Commit":"9e9aa4c","Repo":"3"}

I'd suspect that even with an Access-Control-Allow-Origin requests made on port 5001 should still work.
@rht
Copy link
Contributor

rht commented Jan 22, 2016

If this were to be handled, then every config update has to propagate to the daemon immediately/when needed. This is possible when the config param is read from disk/cache every time the value is called, which could be a huge perf hit for large number of requests. I don't think adding the complexity is worth it here.

@whyrusleeping
Copy link
Member

I think we can close this as 'wont fix'. Or at least, not something we have a convincing use-case for at this time. The complexity of implementing this would be pretty high.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@travisperson @rht @whyrusleeping