sbillig
commented
4 years ago Code looks reasonable and @seekr says this works, which is good enough for me!
Closed christianbundy closed 4 years ago
sbillig
commented
4 years ago Code looks reasonable and @seekr says this works, which is good enough for me!
pokapow
commented
4 years ago Is it possible to alloaw a subpage, not just a subdomain?
--allow-host example.com/oasis
Actualy I get this error in console, without subpage in allow-host:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-4Su6mBWzEIFnH4pAGMOuaeBrstwJN4Z3pq/s1Kn4/KQ='), or a nonce ('nonce-...') is required to enable inline execution.
And a "Not found" in the page.
christianbundy
commented
4 years ago It's not, unfortunately. I'd strongly recommend running this as a subdomain rather than as a sub-path.
pokapow
commented
4 years ago I understand, but we use local hostnames of machines, /etc/hosts is not default configure with subdomain of the main local domain ...
I think that should be a nice trick to allow this usecase.
I use nginx for vhost, but no DNS, just the localname preconfigure of the host, so no subdomains.
Problem: When proxying Oasis, the CSRF + DNS rebind security precautions will respond with HTTP 400 if you use a hostname that Oasis doesn't know about. For example, if Oasis is listening on
localhostand you use Caddy/Nginx/etc to proxy that tooasis.example.com, then Oasis will see GET requests as DNS rebind attacks and POST requests as CSRF attacks.Solution: Add
--allow-hostcommand-line flag so that you can--allow-host oasis.example.comand ensure that the host is allowed by the security measures.