Closed Bug 1011754 Opened 11 years ago Closed 11 years ago

deployed loop server should not have Access-Control-Allow-Origin return "null"

Categories

(Hello (Loop) :: Server, defect)

Product:
Hello (Loop)
Component:
Server
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: dmosedale, Unassigned)

References

Details

This is a security hole, as it allows any cookies on the site to be spoofed by CSRF, a la bug 1011746. Since our intent is to remove cookies for MLP, this bug doesn't really block it, but I've marked it as blocking MVP as a belt-and-suspenders approach to avoiding future issues. I somewhat suspect that in the course of getting MLP working, we'll probably fix this as a side-effect of some other change, but just in case...
I don't exactly understand how that happens, can you put STR here?
Interestingly, it doesn't seem happen unless given an Origin of null. http --session loop POST loop.dev.mozaws.net/registration Origin:null simple_push_url=https://push.services.mozilla.com/update/MGlYke2SrEmYE8ceyuverbo --verbose
POST /registration HTTP/1.1 Accept: application/json Accept-Encoding: gzip, deflate Output from the above: Content-Length: 87 Content-Type: application/json; charset=utf-8 Cookie: loop-session=QlZkxveAmOdb074AmtMFnA.emFXnt8Ysp6pYvyBD4apKzxBaBtvYF_LRqsb2aA_MloTiGiDRcG7MG-Wk2FSAIAi.1400681165384.25920000000.UsjOedrqoCnuvXiv4_zTEqwRZ_0gnsSx6JAzVPOC6ZU Host: loop.dev.mozaws.net Origin: null User-Agent: HTTPie/0.8.0 { "simple_push_url": "https://push.services.mozilla.com/update/MGlYke2SrEmYE8ceyuverbo" } HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: null Connection: keep-alive Content-Length: 4 Content-Type: application/json; charset=utf-8 Date: Wed, 21 May 2014 14:09:50 GMT Server: nginx/1.4.7 X-Powered-By: Express "ok"
Let's try that again: POST /registration HTTP/1.1 Accept: application/json Accept-Encoding: gzip, deflate Content-Length: 87 Content-Type: application/json; charset=utf-8 Cookie: loop-session=QlZkxveAmOdb074AmtMFnA.emFXnt8Ysp6pYvyBD4apKzxBaBtvYF_LRqsb2aA_MloTiGiDRcG7MG-Wk2FSAIAi.1400681165384.25920000000.UsjOedrqoCnuvXiv4_zTEqwRZ_0gnsSx6JAzVPOC6ZU Host: loop.dev.mozaws.net Origin: null User-Agent: HTTPie/0.8.0 { "simple_push_url": "https://push.services.mozilla.com/update/MGlYke2SrEmYE8ceyuverbo" } HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: null Connection: keep-alive Content-Length: 4 Content-Type: application/json; charset=utf-8 Date: Wed, 21 May 2014 14:09:50 GMT Server: nginx/1.4.7 X-Powered-By: Express "ok"
Wait, the Loop server is just echoing back Access-Control-Allow-Origin (with credentials) for any host rather than a whitelist of known good sites?
Can you check you're actually using the latest version of the server? (X-Powered-By: Express) was disabled some time ago so it's not normal to see it here. Also, can you paste the configuration of the server you're using? I suppose this is not hapening with the deployed dev instance, right? (it has "allowedOrigins" set to ["http://loop-webapp.dev.mozaws.net"], so it shouldn't accept a null origin, I suppose).
It is happening with the dev instance; see the command-line used in comment 2.
We removed the Allow-Credentials from the server and created a rule so that "*" matches "null" when needed. It seems not to be a problem to have the server accept requests from everywhere, since we're using authentication and not using cookies anymore. Closing this bug as it's not valid anymore.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.