Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OCS-APIRequest to list of allowed CORS headers #31698

Closed
wants to merge 1 commit into from

Conversation

everlanes
Copy link
Contributor

Adding the OCS-APIRequest header to the list of allowed headers

This makes the OCS API usable by external web apps via XMLHttpRequest:
Otherwise the access to the resource is either blocked by the OCS API (missing OCS-APIRequest: true header) or by the browser (OCS-APIRequest: true header not allowed by CORS).

See Feature Request #31694

Adding the `OCS-APIRequest` header to the list of allowed headers

This makes the OCS API usable by external web apps via XMLHttpRequest:
Otherwise the access to the resource is either blocked by the OCS API (missing `OCS-APIRequest: true` header) or by the browser (`OCS-APIRequest: true` header not allowed by CORS).

Signed-off-by: Andreas Brinner <[email protected]>
@szaimen szaimen requested review from ChristophWurst, a team, PVince81, icewind1991 and come-nc and removed request for a team March 28, 2022 08:29
@PVince81 PVince81 requested a review from nickvergessen March 29, 2022 08:50
@blizzz blizzz mentioned this pull request Mar 31, 2022
@nickvergessen
Copy link
Member

I don't think we want this as default enabled security wise.
It opens the API to scripted attacks easily. If your app wants to support this it can easily specify that header in the constructor of the controller.

@everlanes
Copy link
Contributor Author

Thanks for you thoughts. But I don't agree and I try to show you why:

The corsAllowedHeaders variable is only used by the function preflightedCors.
The sole purpose of this function is to make it easier to add a preflighted cors response.
It does not change the behavior or security of the underlying API.

I only added this header to the OCSController for OCS API calls, that requires this header to be present.
In my understanding, if you want to use this helper function with the OCS API, the OCS-APIRequest header must always be added. Otherwise this helper is useless, as it does not help with preflight Cors requests.
I don't see, why the other default headers Authorization, Content-Type, Accept are present and the OCS-APIRequest should imply a security risk.

It opens the API to scripted attacks easily.

I don't agree on this. The API is open to scripted attacks independent of this header parameter.
If the API is public, it can be attacked by scripts.
The only one caring for this header are the browsers.

So in my opinion this is kind of security by obscurity.
If a developer opens up the API (unknowingly) and tests it with a browser, the request will fail.
But not due to some good security measurements, but only because the browser refuses to call the API.
Any other script will happily access the API, as this header does not prevent it in any way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3. to review Waiting for reviews
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants