Reject cookies from third-party applications #526
Conversation
RubenVerborgh
force-pushed
the
fix/no-cross-origin-cookie
branch
from
01f3671 to
62a9044
Compare
|
@dmitrizagidulin Updated check for equality with the hostnames of either the user ID or the server. |
lib/create-app.js
Outdated
| const userId = req.session.userId | ||
| console.log('check') | ||
| if (origin && userId) { | ||
| const userIdHost = userId.replace(/([^:/])\/.*/, '$1') |
There was a problem hiding this comment.
I think this might grab the path, as well as the host? so, it'll be like ruben.databox.me/profile/card, yeah?
There was a problem hiding this comment.
Ah, n/m :) See it.
Otherwise, when a user is logged in to their Solid server, any third-party application could perform authenticated requests without permission by including the credentials set by the Solid server. Closes #524. Breaking change, needs new semver-major.
RubenVerborgh
force-pushed
the
fix/no-cross-origin-cookie
branch
from
62a9044 to
de38bf8
Compare
|
@dmitrizagidulin Now with unit tests for the check. |
|
@RubenVerborgh 👍 , thank you! |
|
There seems to be no discussion about the way this interacts with CORS. There is no isssue behind this PR? |
|
@timbl The issue is tagged in the description, it's #524. There's no interaction with CORS: we simply allow all cross-origin interactions on Solid servers, and also accept cookies with AJAX requests from any origin. As a result from that openness, we need to be careful about what requests we accept from what hosts, and the cookies mechanism wasn't doing that. |
Otherwise, when a user is logged in to their Solid server,
any third-party application could perform authenticated requests
without permission by including the credentials set by the Solid server.
Closes #524. Breaking change, needs new semver-major.
Note: this breaks Warp, which currently relies on cookie-based authentication (linkeddata/warp#23).