-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cors: add a flag for cors #5671
Conversation
- added a flag to the rest server that if you are fine with accepting all cors you can. let the user decide Signed-off-by: Marko Baricevic <[email protected]>
First off VERY glad to see CORS coming back as an option. This greatly improves the developer experience of working with browser clients that interact with the REST endpoint. This has traditionally been a hot topic because of the security considerations of allowing users to expose a REST endpoint unfettered. While I think it should be up to the developer using the SDK to make those decisions and precautions themselves, I wonder whether this feature should be considered as intended for production or testing use. If just for testing then I think making it accept all CORS as it currently does makes sense, but maybe we should rename it something like If we are happy with the idea that this might be a production setting then maybe we should offer the flag to equal a string of comma separated values that can be parsed as follows: CORS(AllowedOrigins([]string{})) (usage seen here) This would allow a user to pass "*" to accept CORS from all origins or a comma separated list of approved origins. |
client/lcd/root.go
Outdated
) | ||
|
||
return err | ||
}, | ||
} | ||
|
||
cmd.Flags().Bool(FlagAllowCORS, false, "Allows CORS requests from all domains") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be added in client/lcd.RegisterRestServerFlags()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm blocking this because I believe this requires discussion before we press ahead.
I acknowledge that this would make developers experience easier. I agree that especially while testing an app locally it's convenient to disable security features. Though IMHO it's our responsibility to make it as difficult as possible for developers to make dumb mistakes. I have few ideas on how to implement this without compromising on security (e.g. --cors
flag may take effect on condition that a certain compilation flag is passed at build time + confirmation prompt when used). Let's discuss options, shall we? :)
Co-Authored-By: Alessio Treglia <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good progress here 👍
Codecov Report
@@ Coverage Diff @@
## master #5671 +/- ##
=========================================
- Coverage 37.76% 36.96% -0.8%
=========================================
Files 328 328
Lines 30267 30915 +648
=========================================
Hits 11429 11429
- Misses 17645 18293 +648
Partials 1193 1193
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK
@@ -68,6 +69,11 @@ func (rs *RestServer) Start(listenAddr string, maxOpen int, readTimeout, writeTi | |||
), | |||
) | |||
|
|||
var h http.Handler = rs.Mux |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
var h http.Handler = rs.Mux | |
h := rs.Mux |
All changes requested have been addressed.
That was fast. Nice one, @marbar3778 |
This adds the --unsafe-cors flag functionality. From: #5671 Co-authored-by: Marko <[email protected]>
* v0.38.4-RC1 * add release date * client/keys/parse: honor config changes (cosmos#6340) `keys parse` uses the global configuration before before client applications have had a chance to apply their settings. This change adds a `GetSealedConfig()` helper that waits for the config to be sealed before returning it. Fixes: cosmos#5091 Origin: cosmos@4e328d7 Author: Adam Bozanich <[email protected]> Reviewed-by: Alessio Treglia <[email protected]> * Merge PR cosmos#6505: Backport v0.38.5: IAVL Bump (RC) & Pruning Refactor * Fix cl * Fix cl * Merge PR cosmos#6551: Ethanfrey/fix trace flag * Merge PR cosmos#6552: Add sender info to bank transfer event * Merge PR cosmos#6581: v0.38.5-RC1 * Add release date * deps: bump IAVL to 0.14 * cl++ * Merge PR cosmos#6618: backport 0.39.0 (launchpad): cherry pick cosmos#5839 * launchpad: bump tendermint to v0.33.6 (cosmos#6673) * launchpad: bump tendermint to v0.33.6 * cha-cha-cha * fix types.ChainAnteDecorators() panic (cosmos#5742) (cosmos#6669) ChainAnteDecorators() panics when no arguments are supplied. This change its behaviour and the function now returns a nil AnteHandler in case no AnteDecorator instances are supplied. Closes: cosmos#5741 * launchpad: register MsgFundCommunityPool to distribution codec (cosmos#6675) Closes: cosmos#6210 * client: backport IBC additions (cosmos#6682) * launchpad: backport cliCtx.QueryABCI * add prove flag * Save account for multi sending (cosmos#6674) Include changes from PR cosmos#6283 Co-authored-by: Federico Kunze <[email protected]> Co-authored-by: Alessio Treglia <[email protected]> * baseapp: fix sender events accumulation (cosmos#6683) closes: cosmos#6306 original PR: cosmos#6307 * run go mod tidy * add changelog line re: issue that was not included in v0.38.5 * Fix changelog * add release notes * update CODEOWNERS as per STABLE_RELEASES.md Launchpad's Stable Release Managers team's current composition as approved by @okwme (ICF): * @alessio * @clevinson * @ethanfrey * Add milestone's URL * Revert "update CODEOWNERS as per STABLE_RELEASES.md" This reverts commit f384592. * fix typo * add example patch * launchpad: backport account sequence stuck (cosmos#6721) Launchpad fix for cosmos#6287 * update release notes * make explicit that the regression is fixed in 0.39 * update release notes * Update CHANGELOG.md * update release notes @ethanfrey * remove pruning info from changelog They have been moved to NEWS.md * Update NEWS.md Co-authored-by: Alexander Bezobchuk <[email protected]> * Mege PR cosmos#6749: auth: remove custom JSON marshaling * mv NEWS.md -> RELEASE_NOTES.md Self-explanatory naming convention. * Update changelog * add reference to gaia software upgrade * x/staking: add call to iterator Close() method (cosmos#6794) Original pull request: cosmos#6791 * [ci] fix linter (cosmos#6795) * Merge PR cosmos#6842: Remove custom acc JSON marshl * Backport cosmos#5671: Add a Flag for CORS (cosmos#6853) This adds the --unsafe-cors flag functionality. From: cosmos#5671 Co-authored-by: Marko <[email protected]> * Merge PR cosmos#6855: Allow passing through Content-Type (needed for POST) * Merge PR cosmos#6861: Revert "Backport 0.39.1: Remove Custom JSON Marshaling for Accounts" * Merge PR cosmos#6869: Backport 0.39.1: Launchpad Migration cosmos#6829 * Update changelog and release notes * Update x/auth/legacy/v0_39/types.go * Update x/auth/legacy/v0_38/types.go * Merge PR cosmos#6938: Fix v0.39 migrate test * Merge PR cosmos#6937: Bump Tendermint to v0.33.7 * Update x/auth/legacy/v0_39/types.go Co-authored-by: Alexander Bezobchuk <[email protected]> * update RELEASE_NOTES.md * update changelog * test case with real genesis data (cosmos#6995) * incorporate Ethan Frey's suggestion * make format * Update go mod * Remove some ci files * Modify data for test Co-authored-by: Alexander Bezobchuk <[email protected]> Co-authored-by: Aleksandr Bezobchuk <[email protected]> Co-authored-by: Alessio Treglia <[email protected]> Co-authored-by: Ethan Frey <[email protected]> Co-authored-by: Federico Kunze <[email protected]> Co-authored-by: Jonathan Gimeno <[email protected]> Co-authored-by: Marko <[email protected]>
* v0.38.4-RC1 * add release date * client/keys/parse: honor config changes (cosmos#6340) `keys parse` uses the global configuration before before client applications have had a chance to apply their settings. This change adds a `GetSealedConfig()` helper that waits for the config to be sealed before returning it. Fixes: cosmos#5091 Origin: cosmos@4e328d7 Author: Adam Bozanich <[email protected]> Reviewed-by: Alessio Treglia <[email protected]> * Merge PR cosmos#6505: Backport v0.38.5: IAVL Bump (RC) & Pruning Refactor * Fix cl * Fix cl * Merge PR cosmos#6551: Ethanfrey/fix trace flag * Merge PR cosmos#6552: Add sender info to bank transfer event * Merge PR cosmos#6581: v0.38.5-RC1 * Add release date * deps: bump IAVL to 0.14 * cl++ * Merge PR cosmos#6618: backport 0.39.0 (launchpad): cherry pick cosmos#5839 * launchpad: bump tendermint to v0.33.6 (cosmos#6673) * launchpad: bump tendermint to v0.33.6 * cha-cha-cha * fix types.ChainAnteDecorators() panic (cosmos#5742) (cosmos#6669) ChainAnteDecorators() panics when no arguments are supplied. This change its behaviour and the function now returns a nil AnteHandler in case no AnteDecorator instances are supplied. Closes: cosmos#5741 * launchpad: register MsgFundCommunityPool to distribution codec (cosmos#6675) Closes: cosmos#6210 * client: backport IBC additions (cosmos#6682) * launchpad: backport cliCtx.QueryABCI * add prove flag * Save account for multi sending (cosmos#6674) Include changes from PR cosmos#6283 Co-authored-by: Federico Kunze <[email protected]> Co-authored-by: Alessio Treglia <[email protected]> * baseapp: fix sender events accumulation (cosmos#6683) closes: cosmos#6306 original PR: cosmos#6307 * run go mod tidy * add changelog line re: issue that was not included in v0.38.5 * Fix changelog * add release notes * update CODEOWNERS as per STABLE_RELEASES.md Launchpad's Stable Release Managers team's current composition as approved by @okwme (ICF): * @alessio * @clevinson * @ethanfrey * Add milestone's URL * Revert "update CODEOWNERS as per STABLE_RELEASES.md" This reverts commit f384592. * fix typo * add example patch * launchpad: backport account sequence stuck (cosmos#6721) Launchpad fix for cosmos#6287 * update release notes * make explicit that the regression is fixed in 0.39 * update release notes * Update CHANGELOG.md * update release notes @ethanfrey * remove pruning info from changelog They have been moved to NEWS.md * Update NEWS.md Co-authored-by: Alexander Bezobchuk <[email protected]> * Mege PR cosmos#6749: auth: remove custom JSON marshaling * mv NEWS.md -> RELEASE_NOTES.md Self-explanatory naming convention. * Update changelog * add reference to gaia software upgrade * x/staking: add call to iterator Close() method (cosmos#6794) Original pull request: cosmos#6791 * [ci] fix linter (cosmos#6795) * Merge PR cosmos#6842: Remove custom acc JSON marshl * Backport cosmos#5671: Add a Flag for CORS (cosmos#6853) This adds the --unsafe-cors flag functionality. From: cosmos#5671 Co-authored-by: Marko <[email protected]> * Merge PR cosmos#6855: Allow passing through Content-Type (needed for POST) * Merge PR cosmos#6861: Revert "Backport 0.39.1: Remove Custom JSON Marshaling for Accounts" * Merge PR cosmos#6869: Backport 0.39.1: Launchpad Migration cosmos#6829 * Update changelog and release notes * Update x/auth/legacy/v0_39/types.go * Update x/auth/legacy/v0_38/types.go * Merge PR cosmos#6938: Fix v0.39 migrate test * Merge PR cosmos#6937: Bump Tendermint to v0.33.7 * Update x/auth/legacy/v0_39/types.go Co-authored-by: Alexander Bezobchuk <[email protected]> * update RELEASE_NOTES.md * update changelog * test case with real genesis data (cosmos#6995) * incorporate Ethan Frey's suggestion * make format * Update go mod * Remove some ci files * Modify data for test * API server * Port telemetry * Initial metrics * Fix measure * Merge PR cosmos#6761: telemetry: use UTC() in wrappers * Remove file * Make format * Revert changes to client * Revert changes to client/lcd/root * Revert renames in client * Fix int64 panics * Revert "Revert renames in client" This reverts commit cc0a95d14c3212fa1c49f93789dd94e167427a57. * Revert "Revert changes to client/lcd/root" This reverts commit e3bb87bbacae13676c3a1f86f8d441d576b1f2ba. * Revert "Revert changes to client" This reverts commit 332cacba3242e503bcc4bffc3f6b25c1906efca4. Co-authored-by: Alexander Bezobchuk <[email protected]> Co-authored-by: Aleksandr Bezobchuk <[email protected]> Co-authored-by: Alessio Treglia <[email protected]> Co-authored-by: Ethan Frey <[email protected]> Co-authored-by: Federico Kunze <[email protected]> Co-authored-by: Jonathan Gimeno <[email protected]> Co-authored-by: Marko <[email protected]> Co-authored-by: Adam Bozanich <[email protected]>
@ethanfrey
Signed-off-by: Marko Baricevic [email protected]
Closes: #XXX
Description
For contributor use:
docs/
) or specification (x/<module>/spec/
)godoc
comments.Unreleased
section inCHANGELOG.md
Files changed
in the Github PR explorerFor admin use:
WIP
,R4R
,docs
, etc)