Security of API clients : Add CORS header to allow JSON requests

[tdelmas]

Please add the following header to the JSON API response : Access-Control-Allow-Origin: * This header allow any origin to read the answer.

• CORS is really more secure than JSONP : if one day searchcode.com is compromised, any website using the JSONP can be compromised, because a JSONP request allow javascript execution, but with CORS, the answer is plain JSON.
• Adding this header will not breaks existing code, and the JSONP API can still be available.
• For GET requests, CORS works with IE10, Chrome and Firefox (and IE8/9 with little more code)
• Using CORS allow to get rid of the JSONP hack

Links :

• CORS support : http://caniuse.com/#feat=cors
• About JSONP security : https://en.wikipedia.org/wiki/JSONP#Security_concerns
• Tutoriel : http://www.html5rocks.com/en/tutorials/cors/
• Documentation : https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
• Specification : http://www.w3.org/TR/cors/
• API Example : https://developer.github.com/v3/#cross-origin-resource-sharing
• Wikipedia example : https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Simple_example

[boyter]

Seems reasonable. I was opposed to this at first because it would result in whitelisting every domain like so,

Access-Control-Allow-Origin: *

However thinking about it all the API does is allow getting of information so it shouldn't be an issue. I will implement it now.

[tdelmas]

Thanks a lot (140 characters was not enough to detail all implications !)

[boyter]

I dont suppose you have any experience in setting this up in nginx? I was playing around with it then and set the following,

add_header 'Access-Control-Allow-Origin' "$http_origin";

inside the default location / and then tried the following,

$.ajax("https://searchcode.com", { type: 'get', contentType: "application/json", accept: "application/json" }).success(function(data){ console.log("success!", data); }).fail(function(jqxhr, statusText){ console.log("fail!", jqxhr, statusText); })

however no luck. Oddly a check of the headers shows that it should be working as expected,

`MacBook-Pro:~ boyter$ curl -H "Origin: http://test.com" --verbose https://searchcode.com/api/related_results/95217/

• Hostname was NOT found in DNS cache
• Trying 192.168.0.102...
• Connected to searchcode.com (192.168.0.102) port 443 (#0)
• TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• Server certificate: searchcode.com
• Server certificate: PositiveSSL CA 2
• Server certificate: AddTrust External CA Root

  GET /api/relatedresults/95217/ HTTP/1.1 User-Agent: curl/7.37.1 Host: searchcode.com Accept: /_ Origin: http://test.com

  < HTTP/1.1 200 OK

• Server nginx is not blacklisted < Server: nginx < Date: Mon, 16 Feb 2015 21:44:02 GMT < Content-Type: application/json < Transfer-Encoding: chunked < Connection: keep-alive < Access-Control-Allow-Origin: http://test.com <
• Connection #0 to host searchcode.com left intact`

Not sure what is going on here.

[tdelmas]

No problem, I should be grateful.

• do you have any add_header in the /api/ location ? When you have add_header inside a nested block, all add_header of parents are ignored (not only headers with the same name)
• why "$http_origin" and not * ? I think it's better, but I may be wrong

[boyter]

Yes, I have separate locations for the API calls since I need to set the content type. This was just playing around to see if I could get it working first. I set it there as well with no luck. Will try again a bit later.

$http_origin would set it to display that the Allow-Origin to be only whoever is making the call. Supposedly its a bit nicer for the consuming application since it looks like its just for them. I only changed it because * appeared not to be working.

I will play around with it a bit more.

[tdelmas]

Ok, thank you for trying ! If you have anymore questions, don't hesitate.

[tdelmas]

I've add an experimental option to test it on http://searchcode.tdelmas.ovh

[boyter]

Excellent. This will help. I will be looking to push this out soonish. Just trying to add some integration tests over it to ensure it is not rolled back at some point.

[boyter]

Ok this should be done. Let me know how it works out for you and I can close this one down.

[tdelmas]

yes, perfect ! Thanks a lot

[boyter]

For future reference,

curl -H "Origin: http://test.com" --verbose https://searchcode.com/api/related_results/95217/