Re: help/info needed: Javascript and CORS - a bodhi <--> bugzilla communication problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 30/10/2018 17:36, Mattia Verga wrote:


The problem is that the ajax request to Bugzilla fails, because BZ
doesn't provide CORS headers. I've asked BZ guys [2] to add those
headers, but I'm a bit confused about how CORS works and I would need
some help from someone who may have a deeper knowledge on this.
Does the BZ server need to provide the `Access-Control-Allow-Headers`
header or the `Access-Control-Allow-Origin` header? Is it correct what I
asked in the opened bug [3]?


Principally it needs to send Access-Control-Allow-Origin if it is
happy to allow the request - if the request requires unusual headers
then it might need to send the other one as well.


What type of security issue may arise with a wildcarded
`Access-Control-Allow-Headers: *` header? As I understand CORS, it's not
a server protection, rather a client protection. In fact, installing a
browser extension like CorsE for Firefox easily bypass that "protection"
and allows the script to run.


No it protects against unintended exfiltration of data from
the server - without it a random web page could have javascript
that did a background XHR to a web site that required authentication
and just wait until somebody happens to visit that page who happens
to have a valid session cookie for the target site.

So allowing CORS access to resources that don't require authentication
is not normally a problem but allowing it to resources that do require
some sort of authentication requires that you trust the domain you are
allowing the access to.

So for BZ I guess the issue will be figuring out if any of the bugs
you are getting information on are restricted in any way? or maybe
that's fine if the bodhi user has access to those bugs and the domain
can just be validated to restrict it to bodhi?

Tom

--
Tom Hughes (tom@xxxxxxxxxx)
http://compton.nu/
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux