Mercurial > p > roundup > code
comparison doc/rest.txt @ 7155:89a59e46b3af
improve REST interface security
When using REST, we reflect the client's origin. If the wildcard '*'
is used in allowed_api_origins all origins are allowed. When this is
done, it also added an 'Access-Control-Allow-Credentials: true'
header.
This Credentials header should not be added if the site is matched
only by '*'. This header should be provided only for explicit origins
(e.g. https://example.org) not for the wildcard.
This is now fixed for CORS preflight OPTIONS request as well as normal
GET, PUT, DELETE, POST, PATCH and OPTIONS requests.
A missing Access-Control-Allow-Credentials will prevent the tracker
from being accessed using credentials. This prevents an unauthorized
third party web site from using a user's credentials to access
information in the tracker that is not publicly available.
Added test for this specific case.
In addition, allowed_api_origins can include explicit origins in
addition to '*'. '*' must be first in the list.
Also adapted numerous tests to work with these changes.
Doc updates.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 12:01:33 -0500 |
| parents | 42e68162279b |
| children | f86a4a712f1f |
comparison
equal
deleted
inserted
replaced
| 7154:f614176903d0 | 7155:89a59e46b3af |
|---|---|
| 229 | 229 |
| 230 * `Access-Control-Request-Headers` | 230 * `Access-Control-Request-Headers` |
| 231 * `Access-Control-Request-Method` | 231 * `Access-Control-Request-Method` |
| 232 * `Origin` | 232 * `Origin` |
| 233 | 233 |
| 234 The 204 response will include the headers: | 234 The headers of the 204 response depend on the |
| 235 ``allowed_api_origins`` setting. If a ``*`` is included as the | |
| 236 first element, any client can read the data but they can not | |
| 237 provide authentication. This limits the available data to what | |
| 238 the anonymous user can see in the web interface. | |
| 239 | |
| 240 All 204 responses will include the headers: | |
| 235 | 241 |
| 236 * `Access-Control-Allow-Origin` | 242 * `Access-Control-Allow-Origin` |
| 237 * `Access-Control-Allow-Headers` | 243 * `Access-Control-Allow-Headers` |
| 238 * `Access-Control-Allow-Methods` | 244 * `Access-Control-Allow-Methods` |
| 245 * `Access-Control-Max-Age: 86400` | |
| 246 | |
| 247 If the client's ORIGIN header matches an entry besides ``*`` in the | |
| 248 ``allowed_api_origins`` it will also include: | |
| 249 | |
| 239 * `Access-Control-Allow-Credentials: true` | 250 * `Access-Control-Allow-Credentials: true` |
| 240 * `Access-Control-Max-Age: 86400` | 251 |
| 241 | 252 permitting the client to log in and perform authenticated operations. |
| 253 | |
| 242 If the endpoint accepts the PATCH verb the header `Accept-Patch` with | 254 If the endpoint accepts the PATCH verb the header `Accept-Patch` with |
| 243 valid mime types (usually `application/x-www-form-urlencoded, | 255 valid mime types (usually `application/x-www-form-urlencoded, |
| 244 multipart/form-data`) will be included. | 256 multipart/form-data`) will be included. |
| 245 | 257 |
| 246 It will also include rate limit headers since the request is included | 258 It will also include rate limit headers since the request is included |