Skip to content

Commit

Permalink
fix: companion when custom CORS *-Origin is set
Browse files Browse the repository at this point in the history
Companion extension should be able to access RPC API even when custom
Access-Control-Allow-Origin is set
  • Loading branch information
lidel committed Mar 16, 2022
1 parent c48b612 commit 994ef08
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 7 deletions.
10 changes: 6 additions & 4 deletions core/corehttp/commands.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,9 @@ var defaultLocalhostOrigins = []string{
"https://[::1]:<port>",
"http://localhost:<port>",
"https://localhost:<port>",
}

var companionBrowserExtensionOrigins = []string{
"chrome-extension://nibjojkomfdiaoajekhjakgkdhaomnch", // ipfs-companion
"chrome-extension://hjoieblefckbooibpepigmacodalfndh", // ipfs-companion-beta
}
Expand Down Expand Up @@ -86,10 +89,9 @@ func addHeadersFromConfig(c *cmdsHttp.ServerConfig, nc *config.Config) {
}

func addCORSDefaults(c *cmdsHttp.ServerConfig) {
// by default use localhost origins
if len(c.AllowedOrigins()) == 0 {
c.SetAllowedOrigins(defaultLocalhostOrigins...)
}
// always safelist certain origins
c.AppendAllowedOrigins(defaultLocalhostOrigins...)
c.AppendAllowedOrigins(companionBrowserExtensionOrigins...)

// by default, use GET, PUT, POST
if len(c.AllowedMethods()) == 0 {
Expand Down
15 changes: 12 additions & 3 deletions test/sharness/t0401-api-browser-security.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,17 +39,18 @@ test_expect_success "browser is able to access API if Origin is the API port on
grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output
'

test_expect_success "Companion extension is unable to access API with invalid Origin" '
test_expect_success "Random browser extension is unable to access RPC API due to invalid Origin" '
curl -sD - -X POST -A "Mozilla" -H "Origin: chrome-extension://invalidextensionid" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 403 Forbidden" curl_output
'

test_expect_success "Companion extension is able to access API if Origin is the API port on localhost (ipv4)" '
test_expect_success "Companion extension is able to access RPC API on localhost" '
curl -sD - -X POST -A "Mozilla" -H "Origin: chrome-extension://nibjojkomfdiaoajekhjakgkdhaomnch" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
cat curl_output &&
grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output
'

test_expect_success "Companion beta extension is able to access API if Origin is the API port on localhost (ipv4)" '
test_expect_success "Companion beta extension is able to access API on localhost" '
curl -sD - -X POST -A "Mozilla" -H "Origin: chrome-extension://hjoieblefckbooibpepigmacodalfndh" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output
'
Expand All @@ -64,6 +65,14 @@ test_expect_success "setting CORS in API.HTTPHeaders works via CLI" "

test_launch_ipfs_daemon

test_expect_success "Companion extension is able to access RPC API even when custom Access-Control-Allow-Origin is set" '
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin | grep -q valid.example.com &&
curl -sD - -X POST -A "Mozilla" -H "Origin: chrome-extension://nibjojkomfdiaoajekhjakgkdhaomnch" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
cat curl_output &&
grep "HTTP/1.1 200 OK" curl_output &&
grep "$PEERID" curl_output
'

# https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
test_expect_success "OPTIONS with preflight request to API with CORS allowlist succeeds" '
curl -svX OPTIONS -A "Mozilla" -H "Origin: https://valid.example.com" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: origin, x-requested-with" "http://127.0.0.1:$API_PORT/api/v0/id" 2>curl_output &&
Expand Down

0 comments on commit 994ef08

Please sign in to comment.