Re: [che-dev] Changes in CORS configuration for Eclipse Che.

[Florent Benoit <florent@xxxxxxxxxx>]

Hello Sergii,

> There is no functionality in upstream that uses CORS on workspace master and CORS on workspace agent are used only for IDE. 

Hello, I don't know how you checked functionalities, but AFAIK the export to private cloud feature of dashboard is using CORS (as it needs to connect to another remote workspace master endpoint)

Also maybe there is other stuff using CORS from dashboard

Florent

On Sat, Nov 17, 2018 at 3:56 PM Sergii Kabashniuk <skabashn@xxxxxxxxxx> wrote:

Hello

Recently we decided to review our CORS configuration to make sure that it's satisfying modern security requirements. 

There is no functionality in upstream that uses CORS on workspace master

and CORS on workspace agent are used only for IDE. 

To make Che more secure, we want to remove CORS filter from the workspace master at all.

On ws-agent side, we want to limit Allow-Origin to the host from which IDE was loaded.

If you see any problems with that please let me know.

Useful links

https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CORS_Filter

https://bz.apache.org/bugzilla/show_bug.cgi?id=62343

https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/filters/CorsFilter.java

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

Some similar security issues:

[1] https://github.com/cyu/rack-cors/issues/126

[2] https://nodesecurity.io/advisories/148

[3] https://github.com/yiisoft/yii2/issues/16193

Some related blog posts:

[4] http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html

[5] https://ejj.io/misconfigured-cors/

--

Sergii Kabashniuk

Principal Software Engineer, DevTools 

Red Hat Ukraine

skabashniuk@xxxxxxxxxx