search

voxel51 / fiftyone

The open-source tool for building high-quality datasets and computer vision models
https://fiftyone.ai
Apache License 2.0
8.52k stars 547 forks source link

[BUG] Web App POST missing Referer #4539

Open hieutomra opened 3 months ago

hieutomra commented 3 months ago

In our case, we host our Fiftyone App inside Azure App Service (running as docker container) with authentication against Entra ID. Everything worked except that the fiftyone web app javascript do POST for graphql and events but missing Referer in the header, and such request seems to be blocked by Azure App Service

image

I found this by comparing header between a working POST and a fiftyone failing one:

POST / HTTP/1.1
Host: REDACTED.azurewebsites.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Origin: https://REDACTED.azurewebsites.net
DNT: 1
Connection: keep-alive
Referer: https://REDACTED.azurewebsites.net/
Cookie: AppServiceAuthSession=REDACTED
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1

Failing one from fiftyone javascript:

POST /foSession/hieu/events HTTP/1.1
Host: REDACTED.azurewebsites.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 305
Origin: https://REDACTED.azurewebsites.net
DNT: 1
Connection: keep-alive
Cookie: AppServiceAuthSession=REDACTED
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Sec-GPC: 1

And to confirm, I added the Referer to the header of fiftyone POST and the POST succeed.

This should be quite easy to fix if you know where in the code those POST are triggered.

System information

benjaminpkane commented 3 months ago

Hi @hieutomra. We can look into adding Referer, but as this is an environment that open source is not tested in we cannot guarantee support. The open source project is designed for individual use.

If you have a team, please reach out! 🚀

hieutomra commented 3 months ago

I understand. If you can point me to where I can start, I can give it a try and potentially do a PR.

hieutomra commented 3 months ago

Seems similar to #1668

benjaminpkane commented 3 months ago

Seems similar to #1668

Unrelated. That was in issue related to our CVAT integration. The fetch function is in @fiftyone/utilities ./app package. We can take a look at a PR, if the changes are minimal