Created on 2022-05-17 15:33 by rouilj, last changed 2022-05-17 21:22 by rouilj.
|msg7534||Author: [hidden] (rouilj)||Date: 2022-05-17 15:33|
When using roundup's rest or xmlrpc api interfaces from an application not at the same origin as the roundup tracker, CORS and CORS preflight are used (see issue2551203). This scenario looks like it requires disabling csrf_enforce_header_origin in config.ini for html and api requests. To stop this add an config.ini option: allowed_origins_for_api = that can take a comma separated list of url prefixes (ending with /) or the character '*', The origin header when evaluating xmlrpc or rest requests must begin with: tracker.web (base element so scheme:://host/) any value on the allowed_origins_for_api If the allowed_original_for_api is * the origin is allowed. For preflight requests, the returned value for Access-Control-Allow-Origin should be the client supplied origin value. This test should be extracted to a method on the client class (check_origin_header(self, api=False)) and called in handle_csrf(self, xmlrpc=False) replacing the existing origin check code. If handle_csrf is called with xmlrpc=True, call check_origin_header with api=True. (Consider replacing the name xmlrpc with api.) It should also be used in client.py::handle_rest() (with api=True) to verify the origin header for preflight requests. If the Origin header check fails for preflight return 401 with no CORS preflight headers.
|msg7535||Author: [hidden] (rouilj)||Date: 2022-05-17 21:21|
First pass at implementation. Changes from spec: confi.ini param is allowed_api_origins (shorter name). Origin values are space (not comma) separated and must exactly equal the origin header value. So https://foo.edu is not the same as https://Foo.edu. It seems to me that these should be a case insensitive match, but the original CORS spec says case sensitive and the newer spec has nothing to say on it. check_origin_header(self, api=False) renamed as is_origin_header_ok(self, api=false) Swapped out xmlrpc parm for api param. Updated comments. The code to handle preflight requests isn't done yet, so those items are still open. Also until CORS preflight support is implemented for xmlrpc, I am not adding origin filter there. Docs updated. changeset: 6681:ab2ed11c021e
|2022-05-17 21:22:05||rouilj||set||status: new -> open|
|2022-05-17 21:21:22||rouilj||set||messages: + msg7535|