[PULL REQUEST] CORS support | Bitcointalksearch.org

davout

legendary

Activity: 1372

Merit: 1007

1davout

Quote from: Gavin Andresen on January 18, 2011, 03:38:42 PM

I don't think we have consensus that CORS in bitcoin is a good idea, so I'm not going to pull this now.

tcatm's little proxy server is a good workaround.

Come on gavin, be opinionated!
If users don't like it, they'll fork

Gavin Andresen

legendary

Activity: 1652

Merit: 2216

Chief Scientist

I don't think we have consensus that CORS in bitcoin is a good idea, so I'm not going to pull this now.

tcatm's little proxy server is a good workaround.

j16sdiz

newbie

Activity: 37

Merit: 0

Quote from: bitcoinex on January 11, 2011, 01:30:39 PM

This is very dangerous!

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

I can not offer solution of this the problem. I think that ordinary users should continue to use GUI client and not use bitcoind + browser plugins etc.

CORS just remove the XSS protection -- you know, those cookie-stealing or content-snuffing stuff -- it do nothing to plugins / extensions / local filesystem.

Do browser have a bug for reading local filesystem? Maybe.
Would this be CORS-related? Very unlikely -- CORS works on different level of abstraction.

Gavin Andresen

legendary

Activity: 1652

Merit: 2216

Chief Scientist

Quote from: bitcoinex on January 11, 2011, 01:30:39 PM

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

CORS support doesn't change this.

IF the browser has a bug that lets JavaScript code read the local filesystem, THEN JavaScript code can get your rpc username/password from your bitcoin.conf file.

And IF the JavaScript code can do that, then it can send rpc commands to bitcoind running on localhost (because, surprisingly, the same-origin policy does NOT apply to localhost: urls-- we learned that lesson here six months or so ago).

That is all true right now, with the released bitcoin/bitcoind.

bitcoinex

sr. member

Activity: 350

Merit: 252

probiwon.com

This is very dangerous!

Browser is the most buggy program on typical PC! Without browser planted into SElinux I do not want this functionality - from leaky browser site can read the password from config file and steal the money. Such bugs are still happening.

I can not offer solution of this the problem. I think that ordinary users should continue to use GUI client and not use bitcoind + browser plugins etc.

tcatm

sr. member

Activity: 337

Merit: 265

Another idea: Force SSL by default and don't add CORS (doesn't work well over SSL anyway), then use a proxy like SSLserver.py from js-remote that serves the Javascript UI and proxies RPC calls through another SSL connection.

davout

legendary

Activity: 1372

Merit: 1007

1davout

Well, what I'm saying is that if the bitcoin client is freely accessible from a script on my page, I can poke admin/password at every single visitor that passes and manage to rob 2% of them.

Gavin Andresen

legendary

Activity: 1652

Merit: 2216

Chief Scientist

davout said (at the github pull request):

Quote

I think this needs to be explicitly allowed from the bitcoin client side, otherwise any website could start quietly bruteforcing the username/password out of a client.

If you've opened up access to the rpcport, then I don't think CORS support adds any significant vulnerability to password brute-forcing. I suppose it means a 10-year-old non-programmer can repeatedly enter a username and password into a website to try to brute-force your rpcpassword... but anybody capable of writing or running a script could just write a brute-forcer that doesn't run in a browser.

And, come to think of it, turning on CORS explicitly wouldn't stop the ten-year-old, either: they could just repeatedly browse to URL http://your-bitcoind-machine:8332/ and try different usernames/passwords.

Also, bitcoind already has anti-brute-forcing code.

The only security vulnerability I could imagine with CORS is that it might encourage people to add:
rpcallowip=*
... to their bitcoin.conf, so they can connect to bitcoin from any IP address. And I worry that they might not bother to setup SSL, in which case their rpc username/password will be sent across the net in the clear.

tcatm

sr. member

Activity: 337

Merit: 265

Quote from: davout on January 07, 2011, 04:33:01 PM

Is this going to be enabled by default ?

Yep. It just adds two headers so browsers don't complain when using JSON-RPC across domains.

davout

legendary

Activity: 1372

Merit: 1007

1davout

Is this going to be enabled by default ?

Gavin Andresen

legendary

Activity: 1652

Merit: 2216

Chief Scientist

https://github.com/bitcoin/bitcoin/pull/23

Cross Origin Resource Sharing lets servers support cross-origin Javascript. It is supported by the latest browsers (although IE support is... different), and involves sending CORS headers in responses.

Adding this enables Javascript code running in a browser to connect with any bitcoin/bitcoind that allows RPC connections from the browser's IP address and has the right rpc username/password.

Code changes are minimal (4 lines of code to output CORS headers). Thanks to tcatm for implementing and testing.

Topic: [PULL REQUEST] CORS support (Read 3053 times)