fix(origin): allow any localhost origin

This provides less protection, but not any different from the fact that local programs can also access /vat or the websocket. It's needed for Docker images to be independent of port or listening address.
Agoric · Oct 15, 2019 · 80e35fc · 80e35fc
1 parent a704120
commit 80e35fc
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 22 deletions.
diff --git a/lib/ag-solo/start.js b/lib/ag-solo/start.js
@@ -195,16 +195,15 @@ export default async function start(basedir, withSES, argv) {
   // Install the contracts, if given a client role.
   if (argv.find(value => value.match(/^--role=.*client/)) !== undefined) {
     const contractsDir = path.join(basedir, 'contracts');
-    const pairs = (await fs.promises.readdir(contractsDir)).reduce(
-      (prior, name) => {
+    const pairs = (await fs.promises.readdir(contractsDir))
+      .sort()
+      .reduce((prior, name) => {
         const match = name.match(CONTRACT_REGEXP);
         if (match) {
           prior.push(`${match[1]}=${contractsDir}/${name}`);
         }
         return prior;
-      },
-      [],
-    );
+      }, []);
 
     if (pairs.length > 0) {
       // eslint-disable-next-line no-await-in-loop

diff --git a/lib/ag-solo/vats/vat-http.js b/lib/ag-solo/vats/vat-http.js
@@ -7,8 +7,14 @@ import { getReplHandler } from './repl';
 function build(E, D) {
   let commandDevice;
   let provisioner;
-  const homeObjects = { LOADING: 'fetching home objects' };
-  let exportedToCapTP = { LOADING: 'fetching home objects' };
+  const loaded = {};
+  loaded.p = new Promise((resolve, reject) => {
+    loaded.res = resolve;
+    loaded.rej = reject;
+  });
+  harden(loaded);
+  const homeObjects = { LOADING: loaded.p };
+  let exportedToCapTP = { LOADING: loaded.p };
 
   let handler = {};
   let canvasState;
@@ -90,9 +96,9 @@ function build(E, D) {
     },
 
     setPresences(ps, privateObjects) {
-      delete homeObjects.LOADING;
-      exportedToCapTP = Object.assign({}, ps, privateObjects);
+      exportedToCapTP = { ...ps, ...privateObjects };
       Object.assign(homeObjects, ps, privateObjects);
+      loaded.res('chain bundle loaded');
       if (ps.canvasStatePublisher) {
         const subscriber = harden({
           notify(m) {

diff --git a/lib/ag-solo/web.js b/lib/ag-solo/web.js
@@ -41,24 +41,16 @@ export function makeHTTPListener(basedir, port, host, inboundCommand) {
     const url = new URL(origin);
     const isLocalhost = hostname =>
       hostname.match(/^(localhost|127\.0\.0\.1)$/);
-    if (isLocalhost(host)) {
-      if (!isLocalhost(url.hostname)) {
-        console.log(id, `Invalid origin host ${origin} is not local`);
-        return false;
-      }
-    } else if (url.hostname !== host) {
-      console.log(id, `Invalid origin host ${origin}`);
+
+    if (!isLocalhost(url.hostname)) {
+      console.log(id, `Invalid origin host ${origin} is not localhost`);
+      return false;
     }
 
     if (url.protocol !== 'http:' && url.protocol !== 'https:') {
       console.log(id, `Invalid origin protocol ${origin}`, url.protocol);
       return false;
     }
-    if (String(url.port) !== String(port)) {
-      console.log(id, `Invalid origin port ${origin}`, url.port);
-      return false;
-    }
-
     return true;
   };
 

diff --git a/provisioning-server/src/ag_pserver/main.py b/provisioning-server/src/ag_pserver/main.py
@@ -227,7 +227,7 @@ def ret(server_message):
         resp = yield treq.post(controller_url, m.encode('utf-8'), reactor=reactor,
                                 headers={
                                     b'Content-Type': [b'application/json'],
-                                    b'Origin': [controller_url.encode('utf-8')],
+                                    b'Origin': [b'http://127.0.0.1'],
                                 })
         if resp.code < 200 or resp.code >= 300:
             raise Exception('invalid response code ' + str(resp.code))