Currently if we expose multiple routes under different host names, all those routes are collected and provided to the browser when calling the fos_js_routing_js route. I know that we can expose the routes under different domains but the domains can be provided as query parameter.
Considering I expose all my routes in AdminBundle with options={"expose"="admin"}, I can get the complete list of routes exposed by AdminBundle (related to admin.myapp.local) from a page of my PublicBundle (browsing public.myapp.local), if I provide the domain "admin". Ex:
To avoid such disclosure (that can be useful in some situation) maybe the best could be to add config options:
fos_js_routing:
policy: "same-host-only"
In that case only routes exposed on the same fetched hostname are provided. In case this config is used, we could add this kind of check in ExposedRoutesExtractor::getRoutes() method
It could be seen as a quick win to avoid disclosure of information. I know it's not that critical as it's just Security through obscurity, but it's always subject to be pointed out by Security audits.
Hi,
Currently if we expose multiple routes under different host names, all those routes are collected and provided to the browser when calling the fos_js_routing_js route. I know that we can expose the routes under different domains but the domains can be provided as query parameter.
For example given the following routing:
Considering I expose all my routes in AdminBundle with
options={"expose"="admin"}
, I can get the complete list of routes exposed by AdminBundle (related to admin.myapp.local) from a page of my PublicBundle (browsing public.myapp.local), if I provide the domain "admin". Ex:To avoid such disclosure (that can be useful in some situation) maybe the best could be to add config options:
In that case only routes exposed on the same fetched hostname are provided. In case this config is used, we could add this kind of check in ExposedRoutesExtractor::getRoutes() method
As an alternative we could allow to provide a matrix of authorized domains for the different hosts. Eg.:
It could be seen as a quick win to avoid disclosure of information. I know it's not that critical as it's just Security through obscurity, but it's always subject to be pointed out by Security audits.
What do you think about that?