-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CORS middleware #1349
Add CORS middleware #1349
Conversation
- fix bug with cookies differing when calling login and whoami endpoints
internal/auth/oauth2.go
Outdated
// Note browsers require cookies with the same-site policy as 'none' to additionally have the secure flag set. | ||
func sessionCrossOriginSafe(session *sessions.Session, secure bool) *sessions.Session { | ||
session.Options.Secure = secure // Ensures only sent with HTTPS | ||
session.Options.HttpOnly = false // Allow Javascript to read it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are we allowing javascript to read it? Do they manipulate the cookies in some way?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No they call whoami to get details
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point @SimoneDutto I went and tried my test again, setting HttpOnly = true and the browser still sends the cookie. Had a google and I see from here
A cookie with the HttpOnly attribute can't be modified by JavaScript, for example using Document.cookie; it can only be modified when it reaches the server. Cookies that persist user sessions for example should have the HttpOnly attribute set — it would be really insecure to make them available to JavaScript. This precaution helps mitigate cross-site scripting (XSS) attacks.
So I'll change this to true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, this is more secure! thank you for this
cmd/jimmsrv/service/service.go
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think you can add some requests forged to trigger cors policies in service_test.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just so I'm understanding correctly,
now we same site none of on our session cookies allowing them to go anywhere? And the server has cors enabled with GET only?
I'm not sure I understand the first part of your message. But with "samesite" set to none, the browser will include the cookie the cookie in all requests to the domain that set the cookie, including JS requests and via top-level navigation (i.e. a user clicking a link). And the server now has CORS only for GET requests, correct. |
func sessionCrossOriginSafe(session *sessions.Session, secure bool) *sessions.Session { | ||
session.Options.Secure = secure // Ensures only sent with HTTPS | ||
session.Options.HttpOnly = true // Don't allow Javascript to modify cookie | ||
session.Options.SameSite = http.SameSiteNoneMode // Allow cross-origin requests via Javascript |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think it's possible to set a domain for cookies, like .canonical
. I can imagine in a production environment having the dashboard and jimm under the same subdomain.
In this way we are more secure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The domain automatically gets set to the domain that set the cookie. Doc source
I think the attack vector @ale8k is worried about is having a malicious js snippet in the victim browser using the dashboard able to send out (to |
Description
This PR does a few things around CORS to fix issues raised by the Juju dashboard.
There are some things worth mentioning here:
Access-Control-Allow-Credentials
header to true. See here.Fixes CSS-10514
Engineering checklist
Check only items that apply
Test instructions
I tested the changes with a react app and made a request from the app, running at
localhost:3006
to JIMM's /auth/whoami endpoint. After configuring CORS there was a 403 error because the browser did not send JIMM's session cookie in the request until the cookie's sameSite policy was changed to none.