Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: disallow POST without Origin nor Referer from specific user agents #193

Merged
merged 2 commits into from
Apr 6, 2020
Merged

Fix: disallow POST without Origin nor Referer from specific user agents #193

merged 2 commits into from
Apr 6, 2020

Conversation

hsanjuan
Copy link
Contributor

@hsanjuan hsanjuan commented Apr 6, 2020

Addresses browsers being able to POST without control due to things like
https://bugzilla.mozilla.org/show_bug.cgi?id=429594

@hsanjuan hsanjuan self-assigned this Apr 6, 2020
@hsanjuan
Copy link
Contributor Author

hsanjuan commented Apr 6, 2020

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent/Firefox

The problem affects Firefox, but what about:

  • Focus/Klar for Android: Different UA only in old versions, now it's Firefox it seems.
  • Focus for FireTV and Echo Show: seems to use Focus user agent still.
  • FxiOS (Focus and Firefox for iOS)
  • Fennec/Seamonkey etc: should include Firefox in the UA.

@hsanjuan
Copy link
Contributor Author

hsanjuan commented Apr 6, 2020

But all of those would not have IPFS API running on a local port so it should be fine...

@hsanjuan hsanjuan force-pushed the fix/disallow-agent branch from 3042fc5 to cd51b41 Compare April 6, 2020 11:19
@hsanjuan hsanjuan marked this pull request as ready for review April 6, 2020 11:19
@hsanjuan
Copy link
Contributor Author

hsanjuan commented Apr 6, 2020

Apparently Android at least can run go-ipfs on 127.0.0.1:5001, so I have included Focus, Klar, FxiOS in the list. It should not affect them if they are setting the headers right anyways.

But that said, we could just run this check on anything ^Mozilla and catch all browsers ?

@hsanjuan hsanjuan force-pushed the fix/disallow-agent branch from c7f6fce to b00bc40 Compare April 6, 2020 11:33
lidel
lidel approved these changes Apr 6, 2020
View reviewed changes
Copy link
Member

@lidel lidel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should solve the problem for now. Hopefully we will have API tokens or something like that before UserAgent header is gone:

https://www.infoq.com/news/2020/03/chrome-phasing-user-agent/:

Apple (https://twitter.com/rmondello/status/943545865204989953), Microsoft (https://twitter.com/_scottlow/status/1206831008261132289), and Mozilla (mozilla/standards-positions#202 (comment)) have also expressed support for Google's proposal to freeze and phase out the user-agent string, but have not announced detailed plans at the time of writing.

@Stebalien Stebalien merged commit be8c0bd into master Apr 6, 2020
@lidel lidel mentioned this pull request Jul 30, 2020
Closed
@achingbrain achingbrain mentioned this pull request Sep 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Stebalien Stebalien Stebalien approved these changes

@lidel lidel lidel approved these changes

Assignees

@hsanjuan hsanjuan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hsanjuan @lidel @Stebalien