View Issue Details

IDProjectCategoryView StatusLast Update
0005802GNUnetrest servicepublic2019-07-24 20:42
ReporterschanzenAssigned Toschanzen 
PriorityurgentSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version 
Target Version0.11.6Fixed in Version0.11.6 
Summary0005802: REST service should have some advanced CORS logic
DescriptionCurrently, the REST server allows to be configured in a way that it echoes the Origin of an HTTP request in the CORS reponse.
This is a security issue as any website is now able to call the GNUnet REST API from the browser.

We should find a way to only allow special browsers and domains to be able to call the REST API and/or leverage the CORS enforcement of the browser.

Intentially blocking for 0.11.6
TagsNo tags attached.

Activities

schanzen

2019-07-11 18:32

developer   ~0014667

Fixed in aca547d7e0d2c35de71daa934f01f6959b51cf7f.
Now, only requests with origin from moz-extension://* and chrome-extension://* are echoed.

Issue History

Date Modified Username Field Change
2019-07-11 16:50 schanzen New Issue
2019-07-11 16:50 schanzen Status new => assigned
2019-07-11 16:50 schanzen Assigned To => schanzen
2019-07-11 16:50 schanzen Assigned To schanzen =>
2019-07-11 16:51 schanzen Target Version => 0.11.6
2019-07-11 16:51 schanzen Description Updated View Revisions
2019-07-11 18:32 schanzen Assigned To => schanzen
2019-07-11 18:32 schanzen Status assigned => resolved
2019-07-11 18:32 schanzen Resolution open => fixed
2019-07-11 18:32 schanzen Note Added: 0014667
2019-07-24 20:41 Christian Grothoff Fixed in Version => 0.11.6
2019-07-24 20:42 Christian Grothoff Status resolved => closed