Commits on Apr 5, 2020

1. HTTP API: Disallow GET requests on API …

   This commit upgrades go-ipfs-cmds and configures the commands HTTP API Handler
   to only allow POST/OPTIONS, disallowing GET and others in the handling of
   command requests in the IPFS HTTP API (where before every type of request
   method was handled, with GET/POST/PUT/PATCH being equivalent).
   
   The Read-Only commands that the HTTP API attaches to the gateway endpoint will
   additional handled GET as they did before (but stop handling PUT,DELETEs).
   
   By limiting the request types we address the possibility that a website
   accessed by a browser abuses the IPFS API by issuing GET requests to it which
   have no Origin or Referrer set, and are thus bypass CORS and CSRF protections.
   
   This is a breaking change for clients that relay on GET requests against the
   HTTP endpoint (usually :5001). Applications integrating on top of the
   gateway-read-only API should still work (including cross-domain access).
   
   Co-Authored-By: Steven Allen <steven@stebalien.com>
   Co-Authored-By: Marcin Rataj <lidel@lidel.org>

   

   3 people committed Apr 5, 2020
   Configuration menu

   • View commit details
   • Copy full SHA for 1b49047
   • Browse repository at this point

   Copy the full SHA

   1b49047 View commit details

   Browse the repository at this point in the history

2. corehttp: Gateway handler: add Allow headers when returning MethodNot… …

   …Allowed
   
   Spec says that response with 405 must set Allow headers.

   

   hsanjuan committed Apr 5, 2020
   Configuration menu

   • View commit details
   • Copy full SHA for 7340543
   • Browse repository at this point

   Copy the full SHA

   7340543 View commit details

   Browse the repository at this point in the history