Comments (4)
Looking at that source file, I notice that the CORS headers are only configured for the /api/*
endpoints.
That should probably be fixed.
from aw-server.
We have CORS setup with flask_cors so this should not be possible.
Either something has changed in newer aw-server versions, or you are running you aw-server with custom origins enabled (you can do that either with an CLI argument or by enabling it in the config file for aw-server).
Line 80 in df76a77
Can you reproduce it with aw-server-rust as well? We are using rocket_cors in aw-server-rust, worked a few months ago at least.
I'm unfortunately on vacation and dont have a laptop with me, so I can't reproduce ATM.
from aw-server.
I don't see any fixable bug in CORS, and my report may have been misleading; what I'm reporting is that the lack of authentication means having correct CORS configuration does not block POST, and so authentication is needed. But I also might have misunderstood CORS. I'll double check on latest.
from aw-server.
No, I think you're right.
I've thought through this before (a long time ago) and came to the conclusion it was not a (significant) issue, at the time.
I still think there's not much of an issue in our case (except maybe a low-severity disk-spam/DoS vuln), but you are right: other origins can make cross-site POST requests, they just won't see the response. (https://security.stackexchange.com/questions/183981/why-dont-browsers-block-cross-site-posts-by-default)
I'm sick right now, so don't have the brain power for security mindset. But we should look into if we can remedy this. (check Origin header server-side?)
Thank you for raising this issue again, always appreciate an extra set of eyes on security.
Edit: asked ChatGPT too just for reference. I think it covers the issue pretty well: https://chat.openai.com/share/2a9730d7-e762-4075-8b49-2c6ebc4a3d7b
from aw-server.
Related Issues (20)
- Requesting data from server too "quickly" results in `sqlite3.OperationalError`
- Logs filled up my disk for the second time HOT 1
- Build errors on AWS linux HOT 1
- `404` error when loading the dashboard HOT 1
- QueryParseException when semicolon in expression HOT 1
- Prometheus + Grafana? HOT 4
- aw-server shared library error HOT 1
- Unable to run the project locally. main.py and requirements.txt files missing HOT 1
- [Suggestion] Oracle Cloud Setup Tutorial HOT 1
- Mongo DB Config HOT 1
- Add the desktop entry to /usr/share/applications upon installation on linux
- High amount of I/O usage HOT 2
- [Windows] Import doesn't work
- 404 (127.0.0.1): GET /img/icons/apple-touch-icon-152x152.png HTTP/1.1 (flask:25)
- Search results for `Tools > Search` or `Tools > Query` don't include urls
- Setup CI/CD for ActivityWatch Server Docker building HOT 1
- Malformed sqlite database HOT 4
- IPv6 localhost [::1] server does not respond Windows 10
- Allow user to configure CORS HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aw-server.