Closed Jared-Sprague closed 8 years ago
What the... we should proooooolly set up CORS on the server and restrict ACAO to our domain. That should prevent anything like this from being possible
Ok interesting it looks like the A record actually points to the IP address of our load balancer:
[jsprague@localhost zorbio]$ dig cp.poundzero.net
; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> cp.poundzero.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2247
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cp.poundzero.net. IN A
;; ANSWER SECTION:
cp.poundzero.net. 3442 IN A 96.126.119.51
;; Query time: 2 msec
;; SERVER: 10.11.5.19#53(10.11.5.19)
;; WHEN: Thu Mar 03 07:54:07 EST 2016
;; MSG SIZE rcvd: 61
[jsprague@localhost zorbio]$
[jsprague@localhost zorbio]$ ping cp.poundzero.net
PING cp.poundzero.net (96.126.119.51) 56(84) bytes of data.
64 bytes from nb-96-126-119-51.dallas.nodebalancer.linode.com (96.126.119.51): icmp_seq=1 ttl=50 time=46.8 ms
64 bytes from nb-96-126-119-51.dallas.nodebalancer.linode.com (96.126.119.51): icmp_seq=2 ttl=50 time=46.7 ms
64 bytes from nb-96-126-119-51.dallas.nodebalancer.linode.com (96.126.119.51): icmp_seq=3 ttl=50 time=46.7 ms
@Jared-Sprague I just created a branch called disable-cross-origin
that should fix this. As in, they can host our static content (no way to stop them from doing that honestly), but they won't be allowed to connect to our websocket server. So no one can play the game at their domain. Could you test it out? I want to make sure I didn't cause any side effects before pushing it out.
To test:
git up
git checkout disable-cross-origin
npm start
sudo echo "localhost localhust" >> /etc/hosts
firefox localhost:3000 localhust:3000
Try to play with both tabs. The localhost tab should work, the localhust tab should fail. I didn't bother adding a friendly error screen (check console for errors) but we can if you like.
Getting this in prod:
found this in google search results, totally weird, it's the latest build: http://cp.poundzero.net/