Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 7155:89a59e46b3af
improve REST interface security
When using REST, we reflect the client's origin. If the wildcard '*'
is used in allowed_api_origins all origins are allowed. When this is
done, it also added an 'Access-Control-Allow-Credentials: true'
header.
This Credentials header should not be added if the site is matched
only by '*'. This header should be provided only for explicit origins
(e.g. https://example.org) not for the wildcard.
This is now fixed for CORS preflight OPTIONS request as well as normal
GET, PUT, DELETE, POST, PATCH and OPTIONS requests.
A missing Access-Control-Allow-Credentials will prevent the tracker
from being accessed using credentials. This prevents an unauthorized
third party web site from using a user's credentials to access
information in the tracker that is not publicly available.
Added test for this specific case.
In addition, allowed_api_origins can include explicit origins in
addition to '*'. '*' must be first in the list.
Also adapted numerous tests to work with these changes.
Doc updates.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 12:01:33 -0500 |
| parents | 1e3b9abbc2b9 |
| children | 1549c7e74ef8 |
comparison
equal
deleted
inserted
replaced
| 7154:f614176903d0 | 7155:89a59e46b3af |
|---|---|
| 233 when it opens the database, so options such as ``truncate`` | 233 when it opens the database, so options such as ``truncate`` |
| 234 are not used.) | 234 are not used.) |
| 235 | 235 |
| 236 For details on WAL mode see `<https://www.sqlite.org/wal.html>`_ | 236 For details on WAL mode see `<https://www.sqlite.org/wal.html>`_ |
| 237 and `<https://www.sqlite.org/pragma.html#pragma_journal_mode>`_. | 237 and `<https://www.sqlite.org/pragma.html#pragma_journal_mode>`_. |
| 238 | |
| 239 Change in processing allowed_api_origins setting | |
| 240 ------------------------------------------------ | |
| 241 | |
| 242 In this release you can use both ``*`` (as the first origin) and | |
| 243 explicit origins in the `allowed_api_origins`` setting in | |
| 244 ``config.ini``. (Before it was only one or the other.) | |
| 245 | |
| 246 You do not need to use ``*``. If you do, it allows any client | |
| 247 anonymous (unauthenticated) access to the Roundup tracker. This | |
| 248 is the same as browsing the tracker without logging in. If they | |
| 249 try to provide credentials, access to the data will be denied by | |
| 250 `CORS`_. | |
| 251 | |
| 252 If you include explicit origins (e.g. \https://example.com), | |
| 253 users from those origins will not be blocked if they use | |
| 254 credentials to log in. | |
| 255 | |
| 256 .. _CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS | |
| 238 | 257 |
| 239 Change in processing of In-Reply_to email header | 258 Change in processing of In-Reply_to email header |
| 240 ------------------------------------------------ | 259 ------------------------------------------------ |
| 241 | 260 |
| 242 Messages received via email usually include a ``[issue23]`` | 261 Messages received via email usually include a ``[issue23]`` |