[PULL REQUEST] CORS support

[Gavin Andresen]

https://github.com/bitcoin/bitcoin/pull/23

Cross Origin Resource Sharing lets servers support cross-origin Javascript. It is supported by the latest browsers (although IE support is... different), and involves sending CORS headers in responses.

Adding this enables Javascript code running in a browser to connect with any bitcoin/bitcoind that allows RPC connections from the browser's IP address and has the right rpc username/password.

Code changes are minimal (4 lines of code to output CORS headers).  Thanks to tcatm for implementing and testing.

[1715312657]

1715312657

[1715312657]

1715312657

[1715312657]

1715312657

[1715312657]

1715312657

[1715312657]

1715312657

[1715312657]

1715312657

[davout]

Is this going to be enabled by default ?

[tcatm]

Is this going to be enabled by default ?

Yep. It just adds two headers so browsers don't complain when using JSON-RPC across domains.

[Gavin Andresen]

davout said (at the github pull request):

I think this needs to be explicitly allowed from the bitcoin client side, otherwise any website could start quietly bruteforcing the username/password out of a client.

If you've opened up access to the rpcport, then I don't think CORS support adds any significant vulnerability to password brute-forcing.  I suppose it means a 10-year-old non-programmer can repeatedly enter a username and password into a website to try to brute-force your rpcpassword... but anybody capable of writing or running a script could just write a brute-forcer that doesn't run in a browser.

And, come to think of it, turning on CORS explicitly wouldn't stop the ten-year-old, either: they could just repeatedly browse to URL  http://your-bitcoind-machine:8332/ and try different usernames/passwords.

Also, bitcoind already has anti-brute-forcing code.

The only security vulnerability I could imagine with CORS is that it might encourage people to add:
  rpcallowip=*
... to their bitcoin.conf, so they can connect to bitcoin from any IP address.  And I worry that they might not bother to setup SSL, in which case their rpc username/password will be sent across the net in the clear.

[davout]

Well, what I'm saying is that if the bitcoin client is freely accessible from a script on my page, I can poke admin/password at every single visitor that passes and manage to rob 2% of them.

[tcatm]

Another idea: Force SSL by default and don't add CORS (doesn't work well over SSL anyway), then use a proxy like SSLserver.py from js-remote that serves the Javascript UI and proxies RPC calls through another SSL connection.

[bitcoinex]

This is very dangerous!

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

I can not offer solution of this the problem. I think that ordinary users should continue to use GUI client and not use bitcoind + browser plugins etc.

[Gavin Andresen]

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

CORS support doesn't change this.

IF the browser has a bug that lets JavaScript code read the local filesystem, THEN JavaScript code can get your rpc username/password from your bitcoin.conf file.

And IF the JavaScript code can do that, then it can send rpc commands to bitcoind running on localhost (because, surprisingly, the same-origin policy does NOT apply to localhost: urls-- we learned that lesson here six months or so ago).

That is all true right now, with the released bitcoin/bitcoind.

[j16sdiz]

This is very dangerous!

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

I can not offer solution of this the problem. I think that ordinary users should continue to use GUI client and not use bitcoind + browser plugins etc.

CORS just remove the XSS protection -- you know, those cookie-stealing or content-snuffing stuff -- it do nothing to plugins / extensions / local filesystem.

Do browser have a bug for reading local filesystem? Maybe.
Would this be CORS-related? Very unlikely -- CORS works on different level of abstraction.

[Gavin Andresen]

I don't think we have consensus that CORS in bitcoin is a good idea, so I'm not going to pull this now.

tcatm's little proxy server is a good workaround.

[davout]

I don't think we have consensus that CORS in bitcoin is a good idea, so I'm not going to pull this now.

tcatm's little proxy server is a good workaround.

Come on gavin, be opinionated!
If users don't like it, they'll fork