Closed
Bug 1011754
Opened 10 years ago
Closed 10 years ago
deployed loop server should not have Access-Control-Allow-Origin return "null"
Categories
(Hello (Loop) :: Server, defect)
Hello (Loop)
Server
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: dmosedale, Unassigned)
References
Details
This is a security hole, as it allows any cookies on the site to be spoofed by CSRF, a la bug 1011746. Since our intent is to remove cookies for MLP, this bug doesn't really block it, but I've marked it as blocking MVP as a belt-and-suspenders approach to avoiding future issues. I somewhat suspect that in the course of getting MLP working, we'll probably fix this as a side-effect of some other change, but just in case...
|
||
Comment 1•10 years ago
|
||
I don't exactly understand how that happens, can you put STR here?
|
Reporter | |
Comment 2•10 years ago
|
||
Interestingly, it doesn't seem happen unless given an Origin of null. http --session loop POST loop.dev.mozaws.net/registration Origin:null simple_push_url=https://push.services.mozilla.com/update/MGlYke2SrEmYE8ceyuverbo --verbose
|
|
Reporter | |
Comment 3•10 years ago
|
||
POST /registration HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Output from the above:
Content-Length: 87
Content-Type: application/json; charset=utf-8
Cookie: loop-session=QlZkxveAmOdb074AmtMFnA.emFXnt8Ysp6pYvyBD4apKzxBaBtvYF_LRqsb2aA_MloTiGiDRcG7MG-Wk2FSAIAi.1400681165384.25920000000.UsjOedrqoCnuvXiv4_zTEqwRZ_0gnsSx6JAzVPOC6ZU
Host: loop.dev.mozaws.net
Origin: null
User-Agent: HTTPie/0.8.0
{
"simple_push_url": "https://push.services.mozilla.com/update/MGlYke2SrEmYE8ceyuverbo"
}
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: null
Connection: keep-alive
Content-Length: 4
Content-Type: application/json; charset=utf-8
Date: Wed, 21 May 2014 14:09:50 GMT
Server: nginx/1.4.7
X-Powered-By: Express
"ok"|
|
Reporter | |
Comment 4•10 years ago
|
||
Let's try that again:
POST /registration HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Content-Length: 87
Content-Type: application/json; charset=utf-8
Cookie: loop-session=QlZkxveAmOdb074AmtMFnA.emFXnt8Ysp6pYvyBD4apKzxBaBtvYF_LRqsb2aA_MloTiGiDRcG7MG-Wk2FSAIAi.1400681165384.25920000000.UsjOedrqoCnuvXiv4_zTEqwRZ_0gnsSx6JAzVPOC6ZU
Host: loop.dev.mozaws.net
Origin: null
User-Agent: HTTPie/0.8.0
{
"simple_push_url": "https://push.services.mozilla.com/update/MGlYke2SrEmYE8ceyuverbo"
}
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: null
Connection: keep-alive
Content-Length: 4
Content-Type: application/json; charset=utf-8
Date: Wed, 21 May 2014 14:09:50 GMT
Server: nginx/1.4.7
X-Powered-By: Express
"ok"
|
||
Comment 5•10 years ago
|
||
Wait, the Loop server is just echoing back Access-Control-Allow-Origin (with credentials) for any host rather than a whitelist of known good sites?
|
|
||
Comment 6•10 years ago
|
||
Can you check you're actually using the latest version of the server? (X-Powered-By: Express) was disabled some time ago so it's not normal to see it here. Also, can you paste the configuration of the server you're using? I suppose this is not hapening with the deployed dev instance, right? (it has "allowedOrigins" set to ["http://loop-webapp.dev.mozaws.net"], so it shouldn't accept a null origin, I suppose).
|
|
Reporter | |
Comment 7•10 years ago
|
||
It is happening with the dev instance; see the command-line used in comment 2.
|
|
||
Comment 8•10 years ago
|
||
We removed the Allow-Credentials from the server and created a rule so that "*" matches "null" when needed. It seems not to be a problem to have the server accept requests from everywhere, since we're using authentication and not using cookies anymore. Closing this bug as it's not valid anymore.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•