New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protect RPC interface against CSRF #1668

Merged
merged 8 commits into from Apr 15, 2018

Conversation

2 participants
@kingosticks
Member

kingosticks commented Apr 10, 2018

A fix for some of #1659

@kingosticks kingosticks force-pushed the kingosticks:fix/cors branch from 2e84ee4 to 7dc96a1 Apr 10, 2018

@kingosticks

This comment has been minimized.

Member

kingosticks commented Apr 10, 2018

I will take a stab at the websocket too

@kingosticks kingosticks force-pushed the kingosticks:fix/cors branch 2 times, most recently from 77ea763 to 94d3069 Apr 11, 2018

@jodal jodal added this to the v2.2 milestone Apr 11, 2018

@jodal jodal added the A-http label Apr 11, 2018

@jodal

jodal approved these changes Apr 11, 2018

@@ -4,3 +4,4 @@ hostname = 127.0.0.1
port = 6680
static_dir =
zeroconf = Mopidy HTTP server on $hostname
allowed_origins =

This comment has been minimized.

@jodal

jodal Apr 11, 2018

Member

Does localhost:6600 work without whitelisting it, or should we make that the default?

.. confval:: http/allowed_origins
A whitelist of domains allowed to perform Cross-Origin Resource Sharing
(CORS) requests. Entries must be in the format ``hostname``:``port``.

This comment has been minimized.

@jodal

jodal Apr 11, 2018

Member
  • Consider s/whitelist/list/ and explain that multiple values can be separated by comma or put on separate lines. I don't remember how well we explain how to use config.List config values elsewhere.
  • Include the colon in the monospace part: hostname:port.
@@ -19,12 +20,16 @@
def make_mopidy_app_factory(apps, statics):
def mopidy_app_factory(config, core):
origin_whitelist = {

This comment has been minimized.

@jodal

jodal Apr 11, 2018

Member

s/origin_whitelist/allowed_origins/ to keep the naming consistent?

if origin is None:
logger.debug('Origin was not set')
return False
origin_whitelist.add(request_headers.get('Host', None))

This comment has been minimized.

@jodal

jodal Apr 11, 2018

Member

This allows access for a webpage at foo:80 if the RPC interface also is available at foo:80? Cute. That voids my comment about localhost:6600 as the default config value.

@@ -177,6 +197,18 @@ def set_extra_headers(self):
self.set_header('Accept', 'application/json')
self.set_header('Content-Type', 'application/json; utf-8')
def options(self):
origin = self.request.headers.get('Origin', None)

This comment has been minimized.

@jodal

jodal Apr 11, 2018

Member

None is the default return value for .get(), so you can leave it out.

@kingosticks

This comment has been minimized.

Member

kingosticks commented Apr 12, 2018

So I think I have addressed those comments.

Now for the websocket, I thought we could just use the same function:

    def check_origin(self, origin):
        return check_origin(origin, self.request.headers, self.allowed_origins)

@kingosticks kingosticks force-pushed the kingosticks:fix/cors branch from 30fa15c to 8add72d Apr 12, 2018

@jodal

jodal approved these changes Apr 13, 2018 edited

Looking good! Waiting for a final review from @adamcik before merging.

kingosticks added some commits Mar 6, 2018

HTTP: CSRF protection for RPC endpoint.
By now enforcing the Content-Type header is set to 'application/json', we force browsers attempting a cross-domain
request to first perform a CORS preflight OPTIONS request. This request always includes an Origin header which we
check against our whitelist. The whitelist contains the current Host as well as anything specified in the new optional
allowed_origins config value. Any non-browser tools must also now set the Context-type header.
HTTP: Content-Type other than application/json is a 415 client error.
Also Fixed up formatting following code review.

@kingosticks kingosticks force-pushed the kingosticks:fix/cors branch from 8add72d to 1d6e081 Apr 15, 2018

@kingosticks

This comment has been minimized.

Member

kingosticks commented Apr 15, 2018

Fixed conflict and added a bit about same-origin requests to the docs and a changelog entry.

@jodal jodal merged commit 53c8159 into mopidy:develop Apr 15, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@jodal

This comment has been minimized.

Member

jodal commented Apr 15, 2018

Thanks for taking the time to fix this properly :-)

kingosticks added a commit that referenced this pull request Oct 8, 2018

docs: update curl HTTP POST example
Must set 'Content-Type: application/json' header due to #1668
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment