Bitcoin Forum
September 21, 2017, 12:41:05 PM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: [PULL REQUEST] CORS support  (Read 2867 times)
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 07, 2011, 07:23:45 PM
 #1

https://github.com/bitcoin/bitcoin/pull/23

Cross Origin Resource Sharing lets servers support cross-origin Javascript. It is supported by the latest browsers (although IE support is... different), and involves sending CORS headers in responses.

Adding this enables Javascript code running in a browser to connect with any bitcoin/bitcoind that allows RPC connections from the browser's IP address and has the right rpc username/password.

Code changes are minimal (4 lines of code to output CORS headers).  Thanks to tcatm for implementing and testing.

How often do you get the chance to work on a potentially world-changing project?
1505997665
Hero Member
*
Offline Offline

Posts: 1505997665

View Profile Personal Message (Offline)

Ignore
1505997665
Reply with quote  #2

1505997665
Report to moderator
1505997665
Hero Member
*
Offline Offline

Posts: 1505997665

View Profile Personal Message (Offline)

Ignore
1505997665
Reply with quote  #2

1505997665
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1505997665
Hero Member
*
Offline Offline

Posts: 1505997665

View Profile Personal Message (Offline)

Ignore
1505997665
Reply with quote  #2

1505997665
Report to moderator
1505997665
Hero Member
*
Offline Offline

Posts: 1505997665

View Profile Personal Message (Offline)

Ignore
1505997665
Reply with quote  #2

1505997665
Report to moderator
1505997665
Hero Member
*
Offline Offline

Posts: 1505997665

View Profile Personal Message (Offline)

Ignore
1505997665
Reply with quote  #2

1505997665
Report to moderator
davout
Legendary
*
Offline Offline

Activity: 1372


1davout


View Profile WWW
January 07, 2011, 08:33:01 PM
 #2

Is this going to be enabled by default ?

tcatm
Sr. Member
****
qt
Offline Offline

Activity: 337


View Profile
January 07, 2011, 08:35:44 PM
 #3

Is this going to be enabled by default ?

Yep. It just adds two headers so browsers don't complain when using JSON-RPC across domains.
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 11, 2011, 12:53:33 PM
 #4

davout said (at the github pull request):

Quote
I think this needs to be explicitly allowed from the bitcoin client side, otherwise any website could start quietly bruteforcing the username/password out of a client.

If you've opened up access to the rpcport, then I don't think CORS support adds any significant vulnerability to password brute-forcing.  I suppose it means a 10-year-old non-programmer can repeatedly enter a username and password into a website to try to brute-force your rpcpassword... but anybody capable of writing or running a script could just write a brute-forcer that doesn't run in a browser.

And, come to think of it, turning on CORS explicitly wouldn't stop the ten-year-old, either: they could just repeatedly browse to URL  http://your-bitcoind-machine:8332/ and try different usernames/passwords.

Also, bitcoind already has anti-brute-forcing code.

The only security vulnerability I could imagine with CORS is that it might encourage people to add:
  rpcallowip=*
... to their bitcoin.conf, so they can connect to bitcoin from any IP address.  And I worry that they might not bother to setup SSL, in which case their rpc username/password will be sent across the net in the clear.

How often do you get the chance to work on a potentially world-changing project?
davout
Legendary
*
Offline Offline

Activity: 1372


1davout


View Profile WWW
January 11, 2011, 01:12:51 PM
 #5

Well, what I'm saying is that if the bitcoin client is freely accessible from a script on my page, I can poke admin/password at every single visitor that passes and manage to rob 2% of them.

tcatm
Sr. Member
****
qt
Offline Offline

Activity: 337


View Profile
January 11, 2011, 04:59:29 PM
 #6

Another idea: Force SSL by default and don't add CORS (doesn't work well over SSL anyway), then use a proxy like SSLserver.py from js-remote that serves the Javascript UI and proxies RPC calls through another SSL connection.
bitcoinex
Sr. Member
****
Offline Offline

Activity: 350


probiwon.com


View Profile WWW
January 11, 2011, 05:30:39 PM
 #7

This is very dangerous!

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

I can not offer solution of this the problem. I think that ordinary users should continue to use GUI client and not use bitcoind + browser plugins etc.

New bitcoin lottery: probiwon.com
- Может, ты ещё и в Невидимую Руку Рынка веруешь? - Зачем же веровать в то, что можно наблюдать непосредственно?
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 11, 2011, 05:54:31 PM
 #8

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

CORS support doesn't change this.

IF the browser has a bug that lets JavaScript code read the local filesystem, THEN JavaScript code can get your rpc username/password from your bitcoin.conf file.

And IF the JavaScript code can do that, then it can send rpc commands to bitcoind running on localhost (because, surprisingly, the same-origin policy does NOT apply to localhost: urls-- we learned that lesson here six months or so ago).

That is all true right now, with the released bitcoin/bitcoind.


How often do you get the chance to work on a potentially world-changing project?
j16sdiz
Jr. Member
*
Offline Offline

Activity: 37


View Profile
January 12, 2011, 12:29:05 AM
 #9

This is very dangerous!

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

I can not offer solution of this the problem. I think that ordinary users should continue to use GUI client and not use bitcoind + browser plugins etc.

CORS just remove the XSS protection -- you know, those cookie-stealing or content-snuffing stuff -- it do nothing to plugins / extensions / local filesystem.

Do browser have a bug for reading local filesystem? Maybe.
Would this be CORS-related? Very unlikely -- CORS works on different level of abstraction.
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 18, 2011, 07:38:42 PM
 #10

I don't think we have consensus that CORS in bitcoin is a good idea, so I'm not going to pull this now.

tcatm's little proxy server is a good workaround.

How often do you get the chance to work on a potentially world-changing project?
davout
Legendary
*
Offline Offline

Activity: 1372


1davout


View Profile WWW
January 20, 2011, 10:41:45 AM
 #11

I don't think we have consensus that CORS in bitcoin is a good idea, so I'm not going to pull this now.

tcatm's little proxy server is a good workaround.
Come on gavin, be opinionated!
If users don't like it, they'll fork Smiley

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!