Bitcoin Forum

https://github.com/bitcoin/bitcoin/pull/23

Cross Origin Resource Sharing lets servers support cross-origin Javascript. It is supported by the latest browsers (although IE support is... different), and involves sending CORS headers in responses.

Adding this enables Javascript code running in a browser to connect with any bitcoin/bitcoind that allows RPC connections from the browser's IP address and has the right rpc username/password.

Code changes are minimal (4 lines of code to output CORS headers).  Thanks to tcatm for implementing and testing.

Is this going to be enabled by default ?

Yep. It just adds two headers so browsers don't complain when using JSON-RPC across domains.

davout said (at the github pull request):


If you've opened up access to the rpcport, then I don't think CORS support adds any significant vulnerability to password brute-forcing.  I suppose it means a 10-year-old non-programmer can repeatedly enter a username and password into a website to try to brute-force your rpcpassword... but anybody capable of writing or running a script could just write a brute-forcer that doesn't run in a browser.

And, come to think of it, turning on CORS explicitly wouldn't stop the ten-year-old, either: they could just repeatedly browse to URL  http://your-bitcoind-machine:8332/ and try different usernames/passwords.

Also, bitcoind already has anti-brute-forcing code.

The only security vulnerability I could imagine with CORS is that it might encourage people to add:
  rpcallowip=*
... to their bitcoin.conf, so they can connect to bitcoin from any IP address.  And I worry that they might not bother to setup SSL, in which case their rpc username/password will be sent across the net in the clear.

Well, what I'm saying is that if the bitcoin client is freely accessible from a script on my page, I can poke admin/password at every single visitor that passes and manage to rob 2% of them.

Another idea: Force SSL by default and don't add CORS (doesn't work well over SSL anyway), then use a proxy like SSLserver.py from js-remote that serves the Javascript UI and proxies RPC calls through another SSL connection.

This is very dangerous!

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

I can not offer solution of this the problem. I think that ordinary users should continue to use GUI client and not use bitcoind + browser plugins etc.

CORS support doesn't change this.

IF the browser has a bug that lets JavaScript code read the local filesystem, THEN JavaScript code can get your rpc username/password from your bitcoin.conf file.

And IF the JavaScript code can do that, then it can send rpc commands to bitcoind running on localhost (because, surprisingly, the same-origin policy does NOT apply to localhost: urls-- we learned that lesson here six months or so ago).

That is all true right now, with the released bitcoin/bitcoind.

CORS just remove the XSS protection -- you know, those cookie-stealing or content-snuffing stuff -- it do nothing to plugins / extensions / local filesystem.

Do browser have a bug for reading local filesystem? Maybe.
Would this be CORS-related? Very unlikely -- CORS works on different level of abstraction.

I don't think we have consensus that CORS in bitcoin is a good idea, so I'm not going to pull this now.

tcatm's little proxy server is a good workaround.

Come on gavin, be opinionated!
If users don't like it, they'll fork :)