lanmaster53
commented
4 years ago Confirmed.
Is this a show-stopper for something you are working on?
Closed chqr1y closed 6 months ago
lanmaster53
commented
4 years ago Confirmed.
Is this a show-stopper for something you are working on?
chqr1y
commented
4 years ago It's not a show-stopper for me (I have patched the core for my project). Do you want me to work on a fix?
lanmaster53
commented
4 years ago Sure. It should be pretty easy. I've developed several Flask apps that use the Flask-CORS extension. The default configuration is vulnerable to arbitrary origin reflection, but for this app, which isn't intended to be used outside of localhost, that shouldn't be an issue. I suppose Recon-web could always be invoked with a --origin argument that it uses to whitelist the origin. Just an idea.
On a side note, what is this project you're working on? I've not talked to anyone using the API at this point, but there is a lot of possibility and I'm interested in seeing it used.
chqr1y
commented
4 years ago I agree with you, I'm going to propose the following behavior :
Another point, my project is a Javascript interface to manipulate in a more convenient way a large amount of OSINT materials. For now, it's more an experiment to learn ReactJS. I'll let you know when I have a working POC.
The CORS policy blocks requests to the recon-web API (like http://127.0.0.1:5000/api/workspaces) made from the JavaScript context of a web page in firefox or chrome. This behavior prevents the use of the API from a JavaScript web application.
I have tested with recon-ng 5.1.1, firefox 68.7.0esr and chromium 81.0.4044.92.