API needs authentication or to stop using POST about aw-server HOT 4 OPEN

Looking at that source file, I notice that the CORS headers are only configured for the /api/* endpoints.

That should probably be fixed.

from aw-server.

We have CORS setup with flask_cors so this should not be possible.
Either something has changed in newer aw-server versions, or you are running you aw-server with custom origins enabled (you can do that either with an CLI argument or by enabling it in the config file for aw-server).

Can you reproduce it with aw-server-rust as well? We are using rocket_cors in aw-server-rust, worked a few months ago at least.

I'm unfortunately on vacation and dont have a laptop with me, so I can't reproduce ATM.

from aw-server.

I don't see any fixable bug in CORS, and my report may have been misleading; what I'm reporting is that the lack of authentication means having correct CORS configuration does not block POST, and so authentication is needed. But I also might have misunderstood CORS. I'll double check on latest.

from aw-server.

No, I think you're right.

I've thought through this before (a long time ago) and came to the conclusion it was not a (significant) issue, at the time.

I still think there's not much of an issue in our case (except maybe a low-severity disk-spam/DoS vuln), but you are right: other origins can make cross-site POST requests, they just won't see the response. (https://security.stackexchange.com/questions/183981/why-dont-browsers-block-cross-site-posts-by-default)

I'm sick right now, so don't have the brain power for security mindset. But we should look into if we can remedy this. (check Origin header server-side?)

Thank you for raising this issue again, always appreciate an extra set of eyes on security.

Edit: asked ChatGPT too just for reference. I think it covers the issue pretty well: https://chat.openai.com/share/2a9730d7-e762-4075-8b49-2c6ebc4a3d7b

from aw-server.