Bitcoin Forum
December 03, 2016, 05:55:08 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: [PULL REQUEST] CORS support  (Read 2772 times)
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 07, 2011, 07:23:45 PM
 #1

https://github.com/bitcoin/bitcoin/pull/23

Cross Origin Resource Sharing lets servers support cross-origin Javascript. It is supported by the latest browsers (although IE support is... different), and involves sending CORS headers in responses.

Adding this enables Javascript code running in a browser to connect with any bitcoin/bitcoind that allows RPC connections from the browser's IP address and has the right rpc username/password.

Code changes are minimal (4 lines of code to output CORS headers).  Thanks to tcatm for implementing and testing.

How often do you get the chance to work on a potentially world-changing project?
1480787708
Hero Member
*
Offline Offline

Posts: 1480787708

View Profile Personal Message (Offline)

Ignore
1480787708
Reply with quote  #2

1480787708
Report to moderator
1480787708
Hero Member
*
Offline Offline

Posts: 1480787708

View Profile Personal Message (Offline)

Ignore
1480787708
Reply with quote  #2

1480787708
Report to moderator
The network tries to produce one block per 10 minutes. It does this by automatically adjusting how difficult it is to produce blocks.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480787708
Hero Member
*
Offline Offline

Posts: 1480787708

View Profile Personal Message (Offline)

Ignore
1480787708
Reply with quote  #2

1480787708
Report to moderator
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
January 07, 2011, 08:33:01 PM
 #2

Is this going to be enabled by default ?

tcatm
Sr. Member
****
qt
Offline Offline

Activity: 337


View Profile
January 07, 2011, 08:35:44 PM
 #3

Is this going to be enabled by default ?

Yep. It just adds two headers so browsers don't complain when using JSON-RPC across domains.
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 11, 2011, 12:53:33 PM
 #4

davout said (at the github pull request):

Quote
I think this needs to be explicitly allowed from the bitcoin client side, otherwise any website could start quietly bruteforcing the username/password out of a client.

If you've opened up access to the rpcport, then I don't think CORS support adds any significant vulnerability to password brute-forcing.  I suppose it means a 10-year-old non-programmer can repeatedly enter a username and password into a website to try to brute-force your rpcpassword... but anybody capable of writing or running a script could just write a brute-forcer that doesn't run in a browser.

And, come to think of it, turning on CORS explicitly wouldn't stop the ten-year-old, either: they could just repeatedly browse to URL  http://your-bitcoind-machine:8332/ and try different usernames/passwords.

Also, bitcoind already has anti-brute-forcing code.

The only security vulnerability I could imagine with CORS is that it might encourage people to add:
  rpcallowip=*
... to their bitcoin.conf, so they can connect to bitcoin from any IP address.  And I worry that they might not bother to setup SSL, in which case their rpc username/password will be sent across the net in the clear.

How often do you get the chance to work on a potentially world-changing project?
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
January 11, 2011, 01:12:51 PM
 #5

Well, what I'm saying is that if the bitcoin client is freely accessible from a script on my page, I can poke admin/password at every single visitor that passes and manage to rob 2% of them.

tcatm
Sr. Member
****
qt
Offline Offline

Activity: 337


View Profile
January 11, 2011, 04:59:29 PM
 #6

Another idea: Force SSL by default and don't add CORS (doesn't work well over SSL anyway), then use a proxy like SSLserver.py from js-remote that serves the Javascript UI and proxies RPC calls through another SSL connection.
bitcoinex
Sr. Member
****
Offline Offline

Activity: 350


probiwon.com


View Profile WWW
January 11, 2011, 05:30:39 PM
 #7

This is very dangerous!

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

I can not offer solution of this the problem. I think that ordinary users should continue to use GUI client and not use bitcoind + browser plugins etc.

New bitcoin lottery: probiwon.com
- Может, ты ещё и в Невидимую Руку Рынка веруешь? - Зачем же веровать в то, что можно наблюдать непосредственно?
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 11, 2011, 05:54:31 PM
 #8

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

CORS support doesn't change this.

IF the browser has a bug that lets JavaScript code read the local filesystem, THEN JavaScript code can get your rpc username/password from your bitcoin.conf file.

And IF the JavaScript code can do that, then it can send rpc commands to bitcoind running on localhost (because, surprisingly, the same-origin policy does NOT apply to localhost: urls-- we learned that lesson here six months or so ago).

That is all true right now, with the released bitcoin/bitcoind.


How often do you get the chance to work on a potentially world-changing project?
j16sdiz
Jr. Member
*
Offline Offline

Activity: 37


View Profile
January 12, 2011, 12:29:05 AM
 #9

This is very dangerous!

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

I can not offer solution of this the problem. I think that ordinary users should continue to use GUI client and not use bitcoind + browser plugins etc.

CORS just remove the XSS protection -- you know, those cookie-stealing or content-snuffing stuff -- it do nothing to plugins / extensions / local filesystem.

Do browser have a bug for reading local filesystem? Maybe.
Would this be CORS-related? Very unlikely -- CORS works on different level of abstraction.
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 18, 2011, 07:38:42 PM
 #10

I don't think we have consensus that CORS in bitcoin is a good idea, so I'm not going to pull this now.

tcatm's little proxy server is a good workaround.

How often do you get the chance to work on a potentially world-changing project?
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
January 20, 2011, 10:41:45 AM
 #11

I don't think we have consensus that CORS in bitcoin is a good idea, so I'm not going to pull this now.

tcatm's little proxy server is a good workaround.
Come on gavin, be opinionated!
If users don't like it, they'll fork Smiley

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!