search

workflowproducts / envelope

Publish web apps based on your PostgreSQL database fast!
https://workflowproducts.com/envelope.html
Apache License 2.0
53 stars 2 forks source link

CORS detection #134

Open nunziotocci opened 6 years ago

nunziotocci commented 6 years ago

In order to prevent CORS attacks, we should add two configuration parameters: api_referer_list and public_referer_list.

These parameters would be comma-separated lists of domains (possibly also wildcard domains) that are allowed to send requests to Envelope.

api_referer_list should be a required parameter public_referer_list should default to api_referer_list

nunziotocci commented 6 years ago

After some quick research this still seems to be a viable solution.

I've checked IE11, Edge, Firefox, and Google Chrome on Windows 10 and they send the Referer header on same-origin and cross-origin AJAX requests as long as the AJAX destination is behind HTTPS.

Also, I feel inclined to say that it seems like public_referer_list should be called public_api_referer_list. It took me a couple minutes to remember that these are only supposed to affect the API.

nunziotocci commented 5 years ago

Ok, while writing the code for this, I found that the Origin header needs to be used for Websockets. It could in theory be used for AJAX calls, but I'm going to use Referer if it's available and fall back on Origin.

nunziotocci commented 4 years ago

Ok, this feature has only been intrusive when it comes to accept(nc)_* functions.

I will add a parameter to disable the check for accept(nc)* functions. The developer would then be responsible for making sure that the accept functions don't make any database updates.