New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow configuring which headers are exposed #202
Conversation
8effbd9
to
28feee7
Compare
If the |
@mitar My understanding is that the "iframe" transports bypass CORS and will in fact deliver messages with cookies. These transports are intended to work on browsers that predate CORS. I had exactly the same misunderstanding early on, too, and thought that whitelisting the Sandstorm headers would be safe. I'm glad sock.js never gave me the opportunity to shoot myself in the foot, and I think it's best to leave the whitelist non-configurable to minimize future foot-shooting by others. |
No, sock.js is choosing a particular design option here where it could be different. It seems that sock.js endpoints are by design allowing cross-origin requests: iframe allows messages from every origin, other requests even allow credentials (why, if cookies are stripped afterwards?). I can understand that allowing connecting for some apps to sock.js from other origins might be desirable, but in my opinion that should not be a default to begin with. And it is easy to make it not work like that:
With this, only the app could talk back to sock.js. You lose sock.js "public API" nature so other sites cannot connect to it anymore, but for Sandstorm this does not work anyway, because it requires one to open URL through Sandstorm (or use public API URL). So, for Sandstorm in particular, all those holes could be closed, and then So sock.js could be allowing you to shoot yourself in the foot because it is choosing a different default (cross-origin allowed by default) than what people are used to normally on the web. If this would not be a surprising default, then also exposing headers would not have a surprising consequences. |
@mitar Unfortunately, I cannot accept this PR. It is too flexible, and would allow the user to bypass very important security restrictions. I do think a non-cross-origin mode is something we could add, but it needs some small changes to the |
Probably , then we should allow standardized headers like traceparent , tracestate #meteor/meteor-feature-requests#397 |
Yes, those might be possible to add. After this PR was denied, the following did get in: #212 |
This is a backwards compatible change but I really think that it should be allowed which headers are available to the program, for better or worse. In my case I need some
x-
prefixed headers exposed by our reverse proxy so there is no way somebody could fake them (it sanitizes and sets them).Fixes #198.