Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apiconsole: allow uploads in console #1126

Merged
merged 1 commit into from
Jul 26, 2024
Merged

apiconsole: allow uploads in console #1126

merged 1 commit into from
Jul 26, 2024

Conversation

jordigh
Copy link
Contributor

@jordigh jordigh commented Jul 25, 2024
edited
Loading

By adding an XHR to "Try it out" requests, we can make non-JSON requests pass a CORS check.

@jordigh jordigh force-pushed the jordigh/allow-uploads-in-apiconsole branch from d595eb3 to 9876c7f Compare July 25, 2024 22:29
@jordigh
apiconsole: allow uploads in console
7760fe5 
By adding an XHR to "Try it out" requests, we can make non-JSON
requests pass a CORS check.
@jordigh jordigh force-pushed the jordigh/allow-uploads-in-apiconsole branch from 9876c7f to 7760fe5 Compare July 26, 2024 03:02
berhalak
berhalak approved these changes Jul 26, 2024
View reviewed changes
Copy link
Contributor

@berhalak berhalak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.

paulfitz
paulfitz approved these changes Jul 26, 2024
View reviewed changes
Copy link
Member

@paulfitz paulfitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading the note at

grist-core/app/server/lib/Authorizer.ts

Lines 229 to 237 in a9521a8

// If we haven't already been authenticated, and this is not a GET/HEAD/OPTIONS, then
// require a header that would trigger a CORS pre-flight request, either:
// - X-Requested-With: XMLHttpRequest
// - https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers
// - https://markitzeroday.com/x-requested-with/cors/2017/06/29/csrf-mitigation-for-ajax-requests.html
// - Content-Type: application/json
// - https://www.directdefense.com/csrf-in-the-age-of-json/
// This is trivial for legitimate web clients to do, and an obstacle to
// nefarious ones.
I think this is exactly the right solution. Thanks for tracking it down @jordigh !

@jordigh jordigh merged commit c9f9b70 into main Jul 26, 2024
11 checks passed
@jordigh jordigh deleted the jordigh/allow-uploads-in-apiconsole branch July 26, 2024 13:09
dsagal
dsagal reviewed Jul 26, 2024
View reviewed changes
app/client/apiconsole.ts
// that they pass a same origin request, even if they're not GET,
// HEAD, or OPTIONS. "Try it out" requests are the requests to the
// same origin.
if (url.origin === window.origin) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please be sure to verify this works once it reaches staging or prod, since there it's common, I think, to have the window on a URL like https://<org-subdomain>.getgrist.com/apiconsole and the request going to https://api.getgrist.com/....

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just checked, and it looks like the relevant request, the one initiated by the Swagger API console, does indeed go back to the same origin.
image

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^ this is a good point. I just double-checked in prod, and the api console sends requests to the same domain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dsagal dsagal dsagal left review comments

@paulfitz paulfitz paulfitz approved these changes

@berhalak berhalak berhalak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jordigh @paulfitz @dsagal @berhalak