Mercurial > p > roundup > code
diff doc/upgrading.txt @ 7155:89a59e46b3af
improve REST interface security
When using REST, we reflect the client's origin. If the wildcard '*'
is used in allowed_api_origins all origins are allowed. When this is
done, it also added an 'Access-Control-Allow-Credentials: true'
header.
This Credentials header should not be added if the site is matched
only by '*'. This header should be provided only for explicit origins
(e.g. https://example.org) not for the wildcard.
This is now fixed for CORS preflight OPTIONS request as well as normal
GET, PUT, DELETE, POST, PATCH and OPTIONS requests.
A missing Access-Control-Allow-Credentials will prevent the tracker
from being accessed using credentials. This prevents an unauthorized
third party web site from using a user's credentials to access
information in the tracker that is not publicly available.
Added test for this specific case.
In addition, allowed_api_origins can include explicit origins in
addition to '*'. '*' must be first in the list.
Also adapted numerous tests to work with these changes.
Doc updates.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 12:01:33 -0500 |
| parents | 1e3b9abbc2b9 |
| children | 1549c7e74ef8 |
line wrap: on
line diff
--- a/doc/upgrading.txt Tue Feb 21 23:06:15 2023 -0500 +++ b/doc/upgrading.txt Thu Feb 23 12:01:33 2023 -0500 @@ -236,6 +236,25 @@ For details on WAL mode see `<https://www.sqlite.org/wal.html>`_ and `<https://www.sqlite.org/pragma.html#pragma_journal_mode>`_. +Change in processing allowed_api_origins setting +------------------------------------------------ + +In this release you can use both ``*`` (as the first origin) and +explicit origins in the `allowed_api_origins`` setting in +``config.ini``. (Before it was only one or the other.) + +You do not need to use ``*``. If you do, it allows any client +anonymous (unauthenticated) access to the Roundup tracker. This +is the same as browsing the tracker without logging in. If they +try to provide credentials, access to the data will be denied by +`CORS`_. + +If you include explicit origins (e.g. \https://example.com), +users from those origins will not be blocked if they use +credentials to log in. + +.. _CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS + Change in processing of In-Reply_to email header ------------------------------------------------