fix(solo): don't enforce origin identity; we have access tokens

While checking that the connections to our private parts (such as the privileged CapTP) matched "localhost" and a few others was a stopgap before we had an accessToken (capability), now it is really a pain that impedes (but does not prevent) more general access when a user wants it. I believe it is now safe to remove this origin check, especially since it can trivially be bypassed, it just is a nuisance.
Agoric · Sep 16, 2021 · 1afb9f8 · 1afb9f8
1 parent f193fa2
commit 1afb9f8
Showing 1 changed file with 14 additions and 36 deletions.
diff --git a/packages/solo/src/web.js b/packages/solo/src/web.js
@@ -97,7 +97,6 @@ export async function makeHTTPListener(basedir, port, host, rawInboundCommand) {
   // path in /private but not /private/wallet-bridge: also require correct
   // accessToken= in query params
   const validateOriginAndAccessToken = async req => {
-    const { origin } = req.headers;
     const id = `${req.socket.remoteAddress}:${req.socket.remotePort}:`;
 
     const parsedUrl = new URL(req.url, 'http://some-host');
@@ -108,47 +107,26 @@ export async function makeHTTPListener(basedir, port, host, rawInboundCommand) {
       return true;
     }
 
-    // Bypass accessToken just for the wallet bridge.
-    if (fullPath !== '/private/wallet-bridge') {
-      // Validate the private accessToken.
-      const accessToken = await getAccessToken(port);
-      const reqToken = parsedUrl.searchParams.get('accessToken');
-
-      if (!verifyToken(reqToken, accessToken)) {
-        log.error(
-          id,
-          `Invalid access token ${JSON.stringify(
-            reqToken,
-          )}; try running "agoric open"`,
-        );
-        return false;
-      }
+    if (fullPath === '/private/wallet-bridge') {
+      // Bypass accessToken just for the wallet bridge.
+      return true;
     }
 
-    if (!origin) {
-      log.error(id, `Missing origin header`);
-      return false;
-    }
-    const originUrl = new URL(origin);
-    const isLocalhost = hostname =>
-      hostname.match(/^(localhost|127\.0\.0\.1)$/);
+    // Validate the private accessToken.
+    const accessToken = await getAccessToken(port);
+    const reqToken = parsedUrl.searchParams.get('accessToken');
 
-    if (['chrome-extension:', 'moz-extension:'].includes(originUrl.protocol)) {
-      // Extensions such as metamask are local and can access the wallet.
-      // Especially since the access token has been supplied.
+    if (verifyToken(reqToken, accessToken)) {
       return true;
     }
 
-    if (!isLocalhost(originUrl.hostname)) {
-      log.error(id, `Invalid origin host ${origin} is not localhost`);
-      return false;
-    }
-
-    if (!['http:', 'https:'].includes(originUrl.protocol)) {
-      log.error(id, `Invalid origin protocol ${origin}`, originUrl.protocol);
-      return false;
-    }
-    return true;
+    log.error(
+      id,
+      `Invalid access token ${JSON.stringify(
+        reqToken,
+      )}; try running "agoric open"`,
+    );
+    return false;
   };
 
   // accept POST messages to arbitrary endpoints