Skip to content

Reject cookies from third-party applications#526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dmitrizagidulin merged 1 commit into from
Jul 27, 2017
Merged

Reject cookies from third-party applications #526

dmitrizagidulin merged 1 commit into from
Jul 27, 2017

Conversation

@RubenVerborgh
Copy link
Contributor

@RubenVerborghRubenVerborgh commented Jul 25, 2017
edited
Loading

Otherwise, when a user is logged in to their Solid server,
any third-party application could perform authenticated requests
without permission by including the credentials set by the Solid server.

Closes#524. Breaking change, needs new semver-major.

Note: this breaks Warp, which currently relies on cookie-based authentication (linkeddata/warp#23).

@RubenVerborghRubenVerborgh mentioned this pull request Jul 25, 2017
Open
@RubenVerborghRubenVerborghforce-pushed the fix/no-cross-origin-cookie branch from 01f3671 to 62a9044CompareJuly 25, 2017 20:39
@RubenVerborgh
Copy link
ContributorAuthor

RubenVerborgh commented Jul 25, 2017

@dmitrizagidulin Updated check for equality with the hostnames of either the user ID or the server.

dmitrizagidulin
dmitrizagidulin reviewed Jul 25, 2017
View reviewed changes
lib/create-app.js Outdated
const userId = req.session.userId
console.log('check')
if (origin && userId){
const userIdHost = userId.replace(/([^:/])\/.*/, '$1')
Copy link
Contributor

@dmitrizagidulindmitrizagidulinJul 25, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this might grab the path, as well as the host? so, it'll be like ruben.databox.me/profile/card, yeah?

Copy link
Contributor

@dmitrizagidulindmitrizagidulinJul 25, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, n/m :) See it.

@RubenVerborgh
Reject cookies from third-party applications.
de38bf8
Otherwise, when a user is logged in to their Solid server, any third-party application could perform authenticated requests without permission by including the credentials set by the Solid server. Closes#524. Breaking change, needs new semver-major.
@RubenVerborghRubenVerborghforce-pushed the fix/no-cross-origin-cookie branch from 62a9044 to de38bf8CompareJuly 25, 2017 21:09
@RubenVerborgh
Copy link
ContributorAuthor

RubenVerborgh commented Jul 25, 2017

@dmitrizagidulin Now with unit tests for the check.

@dmitrizagidulin
Copy link
Contributor

dmitrizagidulin commented Jul 25, 2017

@RubenVerborgh 👍 , thank you!

@dmitrizagidulindmitrizagidulin merged commit f853711 into dz_oidcJul 27, 2017
@dmitrizagidulindmitrizagidulin deleted the fix/no-cross-origin-cookie branch July 27, 2017 15:21
@RubenVerborghRubenVerborgh added this to the 4.0.0 milestone Aug 10, 2017
RubenVerborgh added a commit that referenced this pull request Aug 10, 2017
@RubenVerborgh
Add CHANGELOG entry for cookie auth (#526).
527109e
@RubenVerborghRubenVerborgh mentioned this pull request Aug 11, 2017
Closed
@RubenVerborghRubenVerborgh mentioned this pull request Sep 1, 2017
Closed
RubenVerborgh added a commit that referenced this pull request Sep 3, 2017
@RubenVerborgh
Add CHANGELOG entry for cookie auth (#526).
d20bef8
@RubenVerborghRubenVerborgh mentioned this pull request Jan 18, 2018
Open
@RubenVerborghRubenVerborgh mentioned this pull request Jun 15, 2018
Closed
@timbl
Copy link
Contributor

timbl commented Jun 15, 2018

There seems to be no discussion about the way this interacts with CORS. There is no isssue behind this PR?

@RubenVerborgh
Copy link
ContributorAuthor

RubenVerborgh commented Jun 15, 2018

@timbl The issue is tagged in the description, it's #524.

There's no interaction with CORS: we simply allow all cross-origin interactions on Solid servers, and also accept cookies with AJAX requests from any origin. As a result from that openness, we need to be careful about what requests we accept from what hosts, and the cookies mechanism wasn't doing that.

This was referenced Oct 2, 2018
Merged
Closed
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dan-fdan-fAwaiting requested review from dan-f

1 more reviewer

@dmitrizagidulindmitrizagidulindmitrizagidulin left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@dmitrizagidulindmitrizagidulin

Labels

bugready for review

Projects

None yet

Milestone

4.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@RubenVerborgh@dmitrizagidulin@timbl