From d61ae2bcb48be6067acaaa9c0d1c51483f891b0b Mon Sep 17 00:00:00 2001 From: Marcin Rataj Date: Fri, 29 Jan 2021 22:08:16 +0100 Subject: [PATCH] fix: remove use of Clear-Site-Data We used Clear-Site-Data to cushion transition period for local gateway exposed at http://localhost while we were still figuring out security-related details. In the final implementation subdomain gateways are not tied to a hostname explicitly, which removes the risk of cookies leaking, removing the need for the header. Turns out it causes issues for Firefox users, so let's just remove it. Closes https://github.com/ipfs-shipyard/ipfs-companion/issues/977 --- core/corehttp/hostname.go | 9 --------- docs/config.md | 1 - test/sharness/t0114-gateway-subdomains.sh | 7 ------- 3 files changed, 17 deletions(-) diff --git a/core/corehttp/hostname.go b/core/corehttp/hostname.go index da133f7abe1..d4006cb8432 100644 --- a/core/corehttp/hostname.go +++ b/core/corehttp/hostname.go @@ -97,15 +97,6 @@ func HostnameOption() ServeOption { return } if newURL != "" { - // Just to be sure single Origin can't be abused in - // web browsers that ignored the redirect for some - // reason, Clear-Site-Data header clears browsing - // data (cookies, storage etc) associated with - // hostname's root Origin - // Note: we can't use "*" due to bug in Chromium: - // https://bugs.chromium.org/p/chromium/issues/detail?id=898503 - w.Header().Set("Clear-Site-Data", "\"cookies\", \"storage\"") - // Set "Location" header with redirect destination. // It is ignored by curl in default mode, but will // be respected by user agents that follow diff --git a/docs/config.md b/docs/config.md index d2806a8a7d0..521c7df1f2e 100644 --- a/docs/config.md +++ b/docs/config.md @@ -653,7 +653,6 @@ between content roots. } } ``` - Default: `false` diff --git a/test/sharness/t0114-gateway-subdomains.sh b/test/sharness/t0114-gateway-subdomains.sh index b9af0805e57..0cf4d57ae92 100755 --- a/test/sharness/t0114-gateway-subdomains.sh +++ b/test/sharness/t0114-gateway-subdomains.sh @@ -181,13 +181,6 @@ test_localhost_gateway_response_should_contain \ "http://localhost:$GWAY_PORT/ipfs/$DIR_CID/" \ "Location: http://$DIR_CID.ipfs.localhost:$GWAY_PORT/" -# Responses to the root domain of subdomain gateway hostname should Clear-Site-Data -# https://github.com/ipfs/go-ipfs/issues/6975#issuecomment-597472477 -test_localhost_gateway_response_should_contain \ - "request for localhost/ipfs/{CIDv1} returns Clear-Site-Data header to purge Origin cookies and storage" \ - "http://localhost:$GWAY_PORT/ipfs/$CIDv1" \ - 'Clear-Site-Data: \"cookies\", \"storage\"' - # We return body with HTTP 301 so existing cli scripts that use path-based # gateway do not break (curl doesn't auto-redirect without passing -L; wget # does not span across hostnames by default)