Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEC-4 JSON RPC interface allows all origins #331

Closed
Gustav-Simonsson opened this issue Feb 17, 2015 · 1 comment
Closed

SEC-4 JSON RPC interface allows all origins #331

Gustav-Simonsson opened this issue Feb 17, 2015 · 1 comment
Milestone
Frontier

Comments

@Gustav-Simonsson
Copy link

The JSON RPC server whitelists all origins in its cross origin resource header configuration: https://github.com/ethereum/go-ethereum/blob/develop/rpc/http/server.go#L89

This configuration bypasses cross origin request protections built in to most modern browsers. For example, it will allow an attacker to originate a transaction via the RPC interface if a user loads a malicious web page.

RECOMMENDATION:
Only whitelist trusted domains that are required for RPC interaction.
@tgerring tgerring mentioned this issue Feb 23, 2015
Closed
@kumavis
Copy link
Member

kumavis commented Feb 23, 2015

What origins do we expect to talk to the RPC?
localhost is a likely one, maybe *.ethereum.org? That would be risky if an XSS vuln was found.

@obscuren obscuren modified the milestone: Frontier Mar 9, 2015
@tgerring tgerring mentioned this issue Mar 29, 2015
Closed
4 tasks
tgerring added a commit to tgerring/go-ethereum that referenced this issue Mar 29, 2015
@tgerring
Add settable domain to CORS handler ethereum#331
b6fde73
@obscuren obscuren closed this as completed Apr 1, 2015
AusIV pushed a commit to NoteGio/go-ethereum that referenced this issue Jul 12, 2021
@meowsbits
Merge pull request ethereum#331 from etclabscore/docs-fix-typos
b56634b 
docs: fix minor typos
tanishqjasoria pushed a commit to tanishqjasoria/go-ethereum that referenced this issue Oct 31, 2023
@Thegaram
Add Archimedes hard fork block number for Scroll Alpha (ethereum#331)
b8d22a1 
* add Archimedes hard fork block number for Scroll Alpha

* bump version
maoueh pushed a commit to streamingfast/go-ethereum that referenced this issue Jun 13, 2024
@sebastianst
Fjord mainnet release (optimistic) (ethereum#331)
7c28198
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Frontier
Development

No branches or pull requests
3 participants
@Gustav-Simonsson @kumavis @obscuren