Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add allowed_origin to config, by default no longer allow any requests which pass Origin in header #2966

Merged
merged 4 commits into from
Jun 3, 2020
Merged

add allowed_origin to config, by default no longer allow any requests which pass Origin in header #2966

merged 4 commits into from
Jun 3, 2020

Conversation

jackrobison
Copy link
Member

@jackrobison jackrobison commented May 25, 2020
edited by eukreign
Loading

backwards-incompatible: This release requires that no Origin value is passed in HTTP API requests. Electron based apps accessing the SDK will need to make sure that for POST requests that they remove the Origin from the header, see: electron/electron#7931 . When you want to use the API from web browser the SDK needs to have allowed_origin configuration value set to the host from which you want to access the API.

@jackrobison jackrobison added type: improvement Existing (or partially existing) functionality needs to be changed area: api labels May 25, 2020
@kauffj kauffj requested a review from eukreign May 27, 2020 15:13
@lbry-bot lbry-bot assigned eukreign and unassigned jackrobison May 27, 2020
eukreign
eukreign requested changes Jun 1, 2020
View reviewed changes
Copy link
Member

@eukreign eukreign left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • this needs a test
  • the default allowed_origin should be 'localhost' not 'null'
  • if Origin is None then the check is ignored

@lbry-bot lbry-bot assigned jackrobison and unassigned eukreign Jun 1, 2020
@kauffj
Copy link
Member

kauffj commented Jun 3, 2020

  • 'null' will be replaced by localhost as default
  • origin will only be enforced if origin is passed

jackrobison and others added 2 commits June 3, 2020 12:55
@eukreign eukreign changed the title add allowed_origin to config add allowed_origin to config, no longer allow any requests which pass Origin in header by default Jun 3, 2020
@eukreign eukreign changed the title add allowed_origin to config, no longer allow any requests which pass Origin in header by default add allowed_origin to config, by default no longer allow any requests which pass Origin in header Jun 3, 2020
@eukreign eukreign merged commit 3c8bec6 into master Jun 3, 2020
@eukreign eukreign deleted the check-origin branch June 3, 2020 18:39
@lyoshenka lyoshenka mentioned this pull request Mar 23, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eukreign eukreign eukreign approved these changes

Assignees

@jackrobison jackrobison

Labels
area: api type: improvement Existing (or partially existing) functionality needs to be changed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jackrobison @kauffj @eukreign