Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(gw): remove use of Clear-Site-Data in subdomain router #7890

Merged
merged 1 commit into from
Mar 31, 2021

Conversation

lidel
Copy link
Member

@lidel lidel commented Jan 29, 2021

This PR removes use of buggy Clear-Site-Data header and solves issue with Firefox: ipfs/ipfs-companion#977
(Chromium browsers are not impacted, but they also barely support this header)

TLDR

Context

We used Clear-Site-Data as a failsafe/cushion during the transition period for local gateway exposed at http://localhost while we were still figuring out security-related details.

In the final implementation subdomain gateways are now tied to a hostname explicitly, which removes the risk of cookies leaking, removing the need for the header.

Turns out the header support is still not implemented correctly in Chromium and causes issues for Firefox users (ipfs/ipfs-companion#977), so let's just remove it.

cc @hsanjuan @Gozala @autonome for 👀
@aschmahmann should be small and clean enough to squeeze into 0.8.0 (#7707), but lmk if you prefer to push it to later one

We used Clear-Site-Data to cushion transition period for local gateway
exposed at http://localhost while we were still figuring out
security-related details.

In the final implementation subdomain gateways are not tied to a
hostname explicitly, which removes the risk of cookies leaking,
removing the need for the header.

Turns out it causes issues for Firefox users, so let's just remove it.

Closes ipfs/ipfs-companion#977
@lidel lidel added topic/gateway Topic gateway need/review Needs a review labels Jan 29, 2021
@lidel lidel changed the title fix(gw): remove use of Clear-Site-Data header fix(gw): remove use of Clear-Site-Data in subdomain router Mar 23, 2021
@lidel lidel added this to the go-ipfs 0.9 milestone Mar 30, 2021
@Stebalien Stebalien merged commit 4cdb67f into master Mar 31, 2021
@Stebalien Stebalien removed the need/review Needs a review label Mar 31, 2021
@lidel lidel deleted the fix/remove-clear-site-data branch April 1, 2021 13:18
@aschmahmann aschmahmann mentioned this pull request May 14, 2021
71 tasks
hacdias pushed a commit to ipfs/boxo that referenced this pull request Jan 27, 2023
fix(gw): remove use of Clear-Site-Data in subdomain router

This commit was moved from ipfs/kubo@4cdb67f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
topic/gateway Topic gateway
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants