Conversation
|
I suspect the answer will be, this should be an option but not enabled by default. So if you would like this accepted it should likely become somehow configurable |
|
@stefanpenner is spot on. If we pull this in, it needs to be optional and off by default... |
|
just out of interest, what's the danger of leaving this on by default? you'd only ever run this locally, right? |
|
@jonnii its the whole intranet exposed by your dev environment problem. Also sometimes people connect to prod data from dev.. The vector is unlikely but possible. |
|
Even if someone accidentally runs the broccoli server on production/public internet, this CORs header doesn't really change too much (IMHO). Anyone with a link directly to your broccoli server would already be see and browse your source before this change (plus link to CSS and JS files via All the header change does is make it so other web pages (served on other domains) can make XHR requests to your files and hotlink assets that normally require same-origin privileges (such as web fonts, at least in Firefox and IE). So from my perspective (note, no security expert here), I think this is worth being on by default. It will make development more convenient and request the number of support requests the project gets. |
|
@timmfin if this is coupled with another thing (like a proxy to your api server) the problem is real. Ultimately making this configurable is the best of both worlds. Additionally, some people might be surprised when there local development setup works but production (which may lack the cors headers) doesn't work. The opt-in makes it clear. |
|
Oh, ok. In that case you'd be allowing arbitrary XHR calls to your proxied API. And yeah, that is a different situation. Maybe this makes things too complex, but the above issue could be mitigated by only making the broccoli middleware add the default CORs header when the |
|
I think my point is this:
All I'm saying is that it should be opt-in (because it definitely adds value in some scenarios). |
|
This header is only used when broccoli is serving static assets. There is no way to exploit this in any way, as far as I can see. The broccoli server is not meant to be run in production, this is stated multiple times it the broccoli documentation. Even if it were, @timmfin's analysis is spot on. The only thing the CORS header permits which wasn't permitted before are XHR requests to the static assets. Which is useless, and an equivalent action could already be performed in other ways. Also requesting certain assets which are restricted by browsers, which we want to be able to do, hence this PR ;) The proxy server argument is not compelling either, since those would only be used if we called Seriously, this is just convenient and perfectly safe. There's no need for this to be behind an option flag. |
|
It might also be worth noting that someone with wget or curl doesn't need the CORS header to access static assets if broccoli is serving on interfaces other than localhost. In development not having CORS preflight header support just means you can't easily develop. I still think it has to be configurable but for me its niether here nor there what the default should be if documentation is clear and concise I consider it lesss effort to enable than getting your CSP right. |
|
@jnicklas @ahacking I appreciate your feedback. My suggestion remains the same -> exposing CORS headers as quick and easy opt in functionality.
I suspect many scenarios were this may be a pain (modeling a multi-domain setup in development for proper alignment with production) also need these headers set in production. It seems natural to then opt-in. If development has enables CORs but production does one relies on them, it would also result in a frustrating situation.
It is a common scenario and although the current PR may not be susceptible, the lack of regression tests to ensure this continues to work as the author intends is what gives me pause. |
|
So dredging this up, since I am still running an To address @stefanpenner's concerns:
Simple requests, which are basically GET and POST with certain content encodings, do not need preflight requests. It is only these requests that this PR permits. Why are the rules more relaxed for these requests? Because these can be performed without the use of XMLHttpRequest already, through cross origin form posts and cross origin resource loading respectively, which all browsers already permit. This is why we have CSRF protection in web frameworks. In short, enabling CORS on these kinds of requests doesn't expose any attack vector which can't already be exploited in other ways. Let's not forget that CSRF is a session attack. If the app in question does not make any use of session data, and the broccoli server does not, then it cannot be exploited. Personally I find it silly to make this optional. It just makes things needlessly frustrating for users. That being said, if after this you still feel the need to make this an option I will admit defeat and amend the PR. Your choice. |
Ya this is a problem, it should be configurable or some possible for you to get what you want with the official release. Having to link the project is a deficiency, and should be addressed. @joliss your feedback would be great, as my above comments are mostly speculative assumptions of your opinion. |
|
It seems that if we always add Side note: It's true that we already allow cross-origin embedding e.g. via Anyways, back to getting fonts working: We might add an option for a CORS header, so that users can explicitly allow access from their dev server only (e.g. I don't suppose there is an optionless way to make CORS work for fonts without introducing security issues, is there? (Extension-sniffing doesn't count.) In the absence of a nice optionless fix, can we revisit this in a few months? |
ghost
force-pushed
the
cors
branch
3 times, most recently
from
74fa4f9 to
f210797
Compare
|
Sorry to be taking so long to get back to this. @joliss that's a really good point. I've updated this PR to a more conservative option, where we're adding an access-control-allow-origin header only if the origin domain resolves to Unfortunately this isn't an ideal solution since it doesn't allow fonts to be loaded from inside a VM for example, or anywhere else where we want to access them through an actual IP rather than a loopback IP. |
|
👍 on this. Came across this problem for both fonts and web worker scripts today. Any updates? |
I believe CORs headers won't help you as WebWorker spec has no awaresness of CORs. I reported this as a bug quite some time ago, but I don't believe any progress has been made. context: http://www.w3.org/TR/workers/#dom-workerglobalscope-location A work-around for workers is host them same origin, or consider a risky eval running worker. That accepts scripts as input. This is dubious at best but until the spec/vendors/browsers fix ^. I am uncertain of a better solution :( If someone has one feel free to share. @devongovett but @joliss's comment: #208 (comment) is still the status of this issue. |
|
I worked around the Worker issue by using Can't seem to get around the font issue though. |
ah yes, blob URLs. I think when I attempted, i was just pwnd bug buggy behavior on old Android and lack of support on now "aged out" versions safari. but i didn't realize:
thats scary but interesting, will have to re-consider being entirely emo about WW's |
|
@stefanpenner I have tried to address @joliss's concerns. The current iteration of this PR doesn't solve the issue completely, but it improves on the status quo. It should not be vulnerable to the sniffing method that @joliss was concerned about and it does not introduce a new option. |
There was a problem hiding this comment.
Do we need a DNS lookup here, or do you think we get away with comparing to localhost, 127.0.0.1, ::1 for performance?
There was a problem hiding this comment.
The DNS lookup is convenient for people who run their dev servers on a local domain name (think /etc/hosts). Something like pow would work with this DNS lookup, whereas a simple string comparison wouldn't work. Maybe that's acceptable though, it would definitely make for prettier code.
I agree - it might be an acceptable partial solution though. I'm kind of on the fence. Is what we're doing in this PR safe? I think it probably is, but I'm having trouble convincing myself that it's definitely safe. @stefanpenner, @rwjblue, do you have an opinion on all this? |
|
If CORs must exist, my vote is for it to be an opt-in. |
|
I believe we should address this via @JakeDetels "enhanced customization of server options" #292 |
|
related: #490 |
9 participants
When developing with Broccoli, sometimes one might want to serve up font files from the Broccoli server. However, certain browsers restrict access to font files based on CORS rules. This makes it impossible to have broccoli serve up font files to another application running on a separate port. This simply adds a CORS header which allows access to these files.