Title: [PULL REQUEST] CORS support Post by: Gavin Andresen on January 07, 2011, 07:23:45 PM https://github.com/bitcoin/bitcoin/pull/23
Cross Origin Resource Sharing lets servers support cross-origin Javascript. It is supported by the latest browsers (although IE support is... different), and involves sending CORS headers in responses. Adding this enables Javascript code running in a browser to connect with any bitcoin/bitcoind that allows RPC connections from the browser's IP address and has the right rpc username/password. Code changes are minimal (4 lines of code to output CORS headers). Thanks to tcatm for implementing and testing. Title: Re: [PULL REQUEST] CORS support Post by: davout on January 07, 2011, 08:33:01 PM Is this going to be enabled by default ?
Title: Re: [PULL REQUEST] CORS support Post by: tcatm on January 07, 2011, 08:35:44 PM Is this going to be enabled by default ? Yep. It just adds two headers so browsers don't complain when using JSON-RPC across domains. Title: Re: [PULL REQUEST] CORS support Post by: Gavin Andresen on January 11, 2011, 12:53:33 PM davout said (at the github pull request):
Quote I think this needs to be explicitly allowed from the bitcoin client side, otherwise any website could start quietly bruteforcing the username/password out of a client. If you've opened up access to the rpcport, then I don't think CORS support adds any significant vulnerability to password brute-forcing. I suppose it means a 10-year-old non-programmer can repeatedly enter a username and password into a website to try to brute-force your rpcpassword... but anybody capable of writing or running a script could just write a brute-forcer that doesn't run in a browser. And, come to think of it, turning on CORS explicitly wouldn't stop the ten-year-old, either: they could just repeatedly browse to URL http://your-bitcoind-machine:8332/ and try different usernames/passwords. Also, bitcoind already has anti-brute-forcing code. The only security vulnerability I could imagine with CORS is that it might encourage people to add: rpcallowip=* ... to their bitcoin.conf, so they can connect to bitcoin from any IP address. And I worry that they might not bother to setup SSL, in which case their rpc username/password will be sent across the net in the clear. Title: Re: [PULL REQUEST] CORS support Post by: davout on January 11, 2011, 01:12:51 PM Well, what I'm saying is that if the bitcoin client is freely accessible from a script on my page, I can poke admin/password at every single visitor that passes and manage to rob 2% of them.
Title: Re: [PULL REQUEST] CORS support Post by: tcatm on January 11, 2011, 04:59:29 PM Another idea: Force SSL by default and don't add CORS (doesn't work well over SSL anyway), then use a proxy like SSLserver.py from js-remote that serves the Javascript UI and proxies RPC calls through another SSL connection.
Title: Re: [PULL REQUEST] CORS support Post by: bitcoinex on January 11, 2011, 05:30:39 PM This is very dangerous!
Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening. I can not offer solution of this the problem. I think that ordinary users should continue to use GUI client and not use bitcoind + browser plugins etc. Title: Re: [PULL REQUEST] CORS support Post by: Gavin Andresen on January 11, 2011, 05:54:31 PM Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening. CORS support doesn't change this. IF the browser has a bug that lets JavaScript code read the local filesystem, THEN JavaScript code can get your rpc username/password from your bitcoin.conf file. And IF the JavaScript code can do that, then it can send rpc commands to bitcoind running on localhost (because, surprisingly, the same-origin policy does NOT apply to localhost: urls-- we learned that lesson here six months or so ago). That is all true right now, with the released bitcoin/bitcoind. Title: Re: [PULL REQUEST] CORS support Post by: j16sdiz on January 12, 2011, 12:29:05 AM This is very dangerous! Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening. I can not offer solution of this the problem. I think that ordinary users should continue to use GUI client and not use bitcoind + browser plugins etc. CORS just remove the XSS protection -- you know, those cookie-stealing or content-snuffing stuff -- it do nothing to plugins / extensions / local filesystem. Do browser have a bug for reading local filesystem? Maybe. Would this be CORS-related? Very unlikely -- CORS works on different level of abstraction. Title: Re: [PULL REQUEST] CORS support Post by: Gavin Andresen on January 18, 2011, 07:38:42 PM I don't think we have consensus that CORS in bitcoin is a good idea, so I'm not going to pull this now.
tcatm's little proxy server is a good workaround. Title: Re: [PULL REQUEST] CORS support Post by: davout on January 20, 2011, 10:41:45 AM I don't think we have consensus that CORS in bitcoin is a good idea, so I'm not going to pull this now. Come on gavin, be opinionated!tcatm's little proxy server is a good workaround. If users don't like it, they'll fork :) |