[che-dev] Changes in CORS configuration for Eclipse Che.

[Sergii Kabashniuk <skabashn@xxxxxxxxxx>]

Hello

Recently we decided to review our CORS configuration to make sure that it's satisfying modern security requirements. 

There is no functionality in upstream that uses CORS on workspace master

and CORS on workspace agent are used only for IDE. 

To make Che more secure, we want to remove CORS filter from the workspace master at all.

On ws-agent side, we want to limit Allow-Origin to the host from which IDE was loaded.

If you see any problems with that please let me know.

Useful links

https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CORS_Filter

https://bz.apache.org/bugzilla/show_bug.cgi?id=62343

https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/filters/CorsFilter.java

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

Some similar security issues:

[1] https://github.com/cyu/rack-cors/issues/126

[2] https://nodesecurity.io/advisories/148

[3] https://github.com/yiisoft/yii2/issues/16193

Some related blog posts:

[4] http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html

[5] https://ejj.io/misconfigured-cors/

--

Sergii Kabashniuk

Principal Software Engineer, DevTools 

Red Hat Ukraine

skabashniuk@xxxxxxxxxx