Message8240
Currently the rest flow is:
check validity of origin header and log and return if missing/or value not
acceptable
check to see if it's a CORS preflight request if so process the request and
return. All of these are done as the anonymous user since credentials are
not sent. Currently cors processing only checks to see if the Origin header
is present, not if it's valid.
check if user is authorized to use REST, return 403 if not.
I want to change this to:
check to see if it's a CORS preflight request if so process the request.
The origin will be validated as part of the change.
check if user is authorized to use REST returning 403 if not.
check validity of origin header and log and return if missing/or value not
acceptable
The old flow allows any user to generate bad origin header logging spam.
The new flow requires the user to have REST access rights to generate bad header
logs. If anonymous is allowed to use rest, logging spam can still be generated.
Since a CORS request is done automatically by the browser, it should always include
an Origin header. Only somebody pretending to be CORS preflight would be missing
the Origin, so I don't think we lose any debugging capability by not logging
a missing Origin header in preflight mode.
Thoughts or concerns? |
|
| Date |
User |
Action |
Args |
| 2024-12-31 21:48:23 | rouilj | set | recipients:
+ rouilj |
| 2024-12-31 21:48:23 | rouilj | set | messageid: <1735681703.15.0.0754668564461.issue2551384@roundup.psfhosted.org> |
| 2024-12-31 21:48:23 | rouilj | link | issue2551384 messages |
| 2024-12-31 21:48:22 | rouilj | create | |
|