Add CORS middleware #1349
Add CORS middleware #1349
Conversation
- fix bug with cookies differing when calling login and whoami endpoints
kian99
requested review from
alesstimec,
SimoneDutto,
babakks,
ale8k and
pkulik0
internal/auth/oauth2.go
Outdated
| // Note browsers require cookies with the same-site policy as 'none' to additionally have the secure flag set. | ||
| func sessionCrossOriginSafe(session *sessions.Session, secure bool) *sessions.Session { | ||
| session.Options.Secure = secure // Ensures only sent with HTTPS | ||
| session.Options.HttpOnly = false // Allow Javascript to read it |
There was a problem hiding this comment.
why are we allowing javascript to read it? Do they manipulate the cookies in some way?
There was a problem hiding this comment.
No they call whoami to get details
There was a problem hiding this comment.
Good point @SimoneDutto I went and tried my test again, setting HttpOnly = true and the browser still sends the cookie. Had a google and I see from here
A cookie with the HttpOnly attribute can't be modified by JavaScript, for example using Document.cookie; it can only be modified when it reaches the server. Cookies that persist user sessions for example should have the HttpOnly attribute set — it would be really insecure to make them available to JavaScript. This precaution helps mitigate cross-site scripting (XSS) attacks.
So I'll change this to true.
There was a problem hiding this comment.
yes, this is more secure! thank you for this
cmd/jimmsrv/service/service.go
Outdated
There was a problem hiding this comment.
i think you can add some requests forged to trigger cors policies in service_test.go
I'm not sure I understand the first part of your message. But with "samesite" set to none, the browser will include the cookie the cookie in all requests to the domain that set the cookie, including JS requests and via top-level navigation (i.e. a user clicking a link). And the server now has CORS only for GET requests, correct. |
| func sessionCrossOriginSafe(session *sessions.Session, secure bool) *sessions.Session { | ||
| session.Options.Secure = secure // Ensures only sent with HTTPS | ||
| session.Options.HttpOnly = true // Don't allow Javascript to modify cookie | ||
| session.Options.SameSite = http.SameSiteNoneMode // Allow cross-origin requests via Javascript |
There was a problem hiding this comment.
i think it's possible to set a domain for cookies, like .canonical. I can imagine in a production environment having the dashboard and jimm under the same subdomain.
In this way we are more secure.
There was a problem hiding this comment.
The domain automatically gets set to the domain that set the cookie. Doc source
I think the attack vector @ale8k is worried about is having a malicious js snippet in the victim browser using the dashboard able to send out (to |
Description
This PR does a few things around CORS to fix issues raised by the Juju dashboard.
There are some things worth mentioning here:
Access-Control-Allow-Credentialsheader to true. See here.Fixes CSS-10514
Engineering checklist
Check only items that apply
Test instructions
I tested the changes with a react app and made a request from the app, running at
localhost:3006to JIMM's /auth/whoami endpoint. After configuring CORS there was a 403 error because the browser did not send JIMM's session cookie in the request until the cookie's sameSite policy was changed to none.