| Re: [che-dev] Changes in CORS configuration for Eclipse Che. |
Hello Florent.On Mon, Nov 19, 2018 at 12:31 PM Florent Benoit <florent@xxxxxxxxxx> wrote:Hello Sergii,> There is no functionality in upstream that uses CORS on workspace master and CORS on workspace agent are used only for IDE.Hello, I don't know how you checked functionalities, but AFAIK the export to private cloud feature of dashboard is using CORS (as it needs to connect to another remote workspace master endpoint)Yes. You are right. There is such functionality. We missed it because there is no integration test for it.Another sad thing is that this functionality last time worked with Che5 + Codenvy. Because it usesauthentification methods that are no longer exist in Che6/7 era.What we can do:With CORS filter on workspace master.1. Do not upgrade tomcat with the latest security fixes. Does anybody think that this is a good idea?2. Allow configuring "origins" from the configuration. Quite useless since we don't know all the possible locations.3. Disable auth on CORS. Limits functionality to public methods only.4. Remove CORS at all from the master. In this way, we remove potential CORS vulnerabilities on ws-master from the agenda.My preference: 4 or 3.With "export to private cloud" - functionality.1. Just create a bug about not working functionality and forget.2. Deprecate and remove. We have alternatives: Export as a file. copy/paster json. devfile is coming https://github.com/eclipse/che/issues/115493. Fix this functionality in the combination of some sort of OAuth + server-side service method to be able safely sent authorization data.I think 3 can quickly look like as 1. That is why I think 2 is the best way.Thoughts?Also maybe there is other stuff using CORS from dashboardThe dashboard is not an issue if we talking about the same host.With ws-master, they are on the same domain. With agent: we are going to allow the request from dashboard's host.FlorentOn Sat, Nov 17, 2018 at 3:56 PM Sergii Kabashniuk <skabashn@xxxxxxxxxx> wrote:HelloRecently we decided to review our CORS configuration to make sure that it's satisfying modern security requirements.There is no functionality in upstream that uses CORS on workspace masterand CORS on workspace agent are used only for IDE.To make Che more secure, we want to remove CORS filter from the workspace master at all.On ws-agent side, we want to limit Allow-Origin to the host from which IDE was loaded.If you see any problems with that please let me know.Useful linksSome similar security issues:Some related blog posts:----
