Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[2.7][WebProfilerBundle] Fix CORS ajax security issues#18413
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
[2.7][WebProfilerBundle] Fix CORS ajax security issues#18413
Uh oh!
There was an error while loading.Please reload this page.
Conversation
| ->end() | ||
| ->end() | ||
| ->booleanNode('intercept_redirects')->defaultFalse()->end() | ||
| ->booleanNode('enable_cors')->defaultFalse()->end() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Any downside to always enable it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
No downside, even if you're doing cross domain calls without exposing the related headers. However, you'll have security logs in your console.
This should be enabled if you're doing cross domain calls on Symfony apps that enabled cors and have been configured to expose these headers through CORS. Moreover, even if you do that, I'm not sure you would be able to display profiles (to be tested)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Oh, I just realized I read your comment to fast :) Of course, it's better to enable it by default, I'm gonna update this
cd33ed0 tocc11f26Compareromainneutron commentedApr 2, 2016
PR updated, comments addressed |
kroshp commentedApr 6, 2016
Same issue in 2.8 |
xabbuh commentedApr 6, 2016
@kroshp All fixes will be merged up to all maintained branches after being merged into the lowest affected branch. |
| protected$mode; | ||
| protected$position; | ||
| protected$excludedAjaxPaths; | ||
| protected$enableCors; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
should be private (even if older properties are not for legacy reasons)
stof commentedApr 7, 2016
is there a way in JS to check whether a header can be accessed according to the CORS rules, to be able to fallback ? It would be great to avoid this configuration setting entirely, and just remove it from the display (or display it in a special way) when the token cannot be retrieved due to CORS restrictions |
stof commentedApr 7, 2016
btw, a try/catch around the statement reading the header might be an acceptable way to implement the fallback if there is no better one. |
romainneutron commentedApr 14, 2016
I just tried to detect if we had access to these headers in CORS using Please note that these are not exception but Browser security warnings. You can try/catch these warnings but they still appear in the console. I'm not in favor of adding a new configuration, so this PR is stalled while we found something better :/ |
cc11f26 to9b67024Compareromainneutron commentedApr 16, 2016
I'm a bit stuck with this here... |
stof commentedApr 20, 2016
@romainneutron have to tried to ask on SO to get some help from the JS community ? |
…equest occured from another domain (romainneutron)This PR was merged into the 2.7 branch.Discussion----------[2.7][WebProfilerBunde] Give an absolute url in case the request occured from another domain| Q | A| ------------- | ---| Branch? | 2.7| Bug fix? | yes| New feature? | no| BC breaks? | no| Deprecations? | no| Tests pass? | yes| Fixed tickets | n/a| License | MIT| Doc PR | n/aThis is related to#18413:Using two symfony application ProjectA and MicroServiceB, if ProjectA issues XHR to MicroServiceB and both have the WebProfilerBundle enabled, then Ajax requests will be monitored in ProjectA. But - at the moment - it will try to look for profiles under ProjectA domain whereas data are stored on MicroServiceB domain.This PR fixes this issueCommits-------1a5d4ad [WebProfilerBunde] Give an absolute url in case the request occured from another domain
weaverryan commentedMay 5, 2016
Could why just avoid checking the headers entirely (and therefore showing the profiler link) when the AJAX request is for another domain? As nice as it is to show a profiler link that's coming from another Symfony app on some other domain, I'm not sure it's necessary - I'd expect the profiler link only for AJAX requests that are coming fromthis application. |
romainneutron commentedMay 12, 2016
I like@weaverryan 's idea, WDYT? |
xabbuh commentedMay 13, 2016
@weaverryan But that would mean that AJAX requests to the same application but with another domain also wouldn't be displayed, right? If so this is a BC break to me as someone might already rely on it (you could serve your internal API with a different domain for whatever reason for example). |
stof commentedMay 13, 2016
@weaverryan this would not be very convenient if you have an app hitting your API hosted on a different domain. |
stof commentedMay 13, 2016
@romainneutron can you try using |
stof commentedMay 13, 2016
@romainneutron I confirm you that |
stof commentedMay 13, 2016
though it returns a string representation of HTTP headers, so you will need to extract the header from it. |
stof commentedMay 13, 2016
or simpler: use the regex only to know whether the Symfony headers are exposed, and then use |
romainneutron commentedMay 14, 2016
@stof thanks for the hint! I'll try this asap |
7b83000 to20a26eeCompareromainneutron commentedMay 16, 2016
PR has been updated, ready for review |
| if (ret=allHeaders.match(/^x-debug-token-link:\s+(.*)$/im)) { | ||
| stackElement.profilerUrl= ret[1]; | ||
| } | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
missing comma
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
good catch, fixed
20a26ee tocccc420Comparecccc420 tof8dd87dComparenicolas-grekas commentedMay 17, 2016
👍 |
fabpot commentedMay 17, 2016
Thank you@romainneutron. |
…mainneutron)This PR was merged into the 2.7 branch.Discussion----------[2.7][WebProfilerBundle] Fix CORS ajax security issues| Q | A| ------------- | ---| Branch? | 2.7| Bug fix? | yes| New feature? | no| BC breaks? | no| Deprecations? | no| Tests pass? | yes| Fixed tickets | N/A| License | MIT| Doc PR | N/AThe WebProfiler toolbar monitors ajax requests. However, when using cross domain ajax requests, it triggers a security issues `Refused to get unsafe header "X-Debug-Token"` `Refused to get unsafe header "X-Debug-Token-Link"` because if the other app is not a Symfony App configured to expose these headers in CORS.This fixes the issue. It adds a new configuration node to explicitly activate it on purpose.Commits-------f8dd87d [WebProfilerBundle] Fix CORS ajax security issues
This PR was merged into the 2.7 branch.Discussion----------Fix js comment in profiler| Q | A| ------------- | ---| Branch? | 2.7| Bug fix? | yes| New feature? | no| BC breaks? | no| Deprecations? | no| Tests pass? | yes| Fixed tickets || License | MIT| Doc PR |Single line comment introduced in#18413 causes the toolbar to fail to load with a syntax error.Commits-------91a2f5d Fix js comment in profiler
The WebProfiler toolbar monitors ajax requests. However, when using cross domain ajax requests, it triggers a security issues
Refused to get unsafe header "X-Debug-Token"Refused to get unsafe header "X-Debug-Token-Link"because if the other app is not a Symfony App configured to expose these headers in CORS.This fixes the issue. It adds a new configuration node to explicitly activate it on purpose.