* [Galene] Re: CORS help needed
@ 2024-11-03 18:21 Marty Betz
2024-11-03 19:43 ` Juliusz Chroboczek
0 siblings, 1 reply; 6+ messages in thread
From: Marty Betz @ 2024-11-03 18:21 UTC (permalink / raw)
To: galene
[-- Attachment #1: Type: text/plain, Size: 1279 bytes --]
On 2024-11-03, Juliusz Chroboczek wrote:
> Currently, Galene has a very primitive CORS configuration: either
> publicServer is not set in the config file, in which case no CORS headers
> are produced, or publicServer is set, in which case CORS headers allow
> unrestricted access
Because of required access to /public-group.json and /groups/groupname,
your bundled clients are only functional because they live on the same
domain as your server.
I guess one could argue that administrative requests should only be allowed
from a browser using these bundled example clients. Maybe all third party
client implementations should need to access "admin" APIs from a
site-generating server. (And thus, no CORS needed, and lessened XSS
vulnerability.)
So drawing a line between browser accessible API calls needing CORS, and
those you'd prefer to be accessible only from server would definitely be
useful.
I'm just learning about Galene details. What are administrative
interactions vs user interactions?
Questions:
1. For instance, will third party clients often want CORS access to data
like /public-groups.json?
2. Couldn't XSS allow for nefarious websocket listening and response? Does
the signaling protocol not also contain "administrative" possibilities?
Thank you,
Marty
[-- Attachment #2: Type: text/html, Size: 1410 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Galene] Re: CORS help needed
2024-11-03 18:21 [Galene] Re: CORS help needed Marty Betz
@ 2024-11-03 19:43 ` Juliusz Chroboczek
0 siblings, 0 replies; 6+ messages in thread
From: Juliusz Chroboczek @ 2024-11-03 19:43 UTC (permalink / raw)
To: Marty Betz; +Cc: galene
> I'm just learning about Galene details. What are administrative
> interactions vs user interactions?
Galene currently implements three independent protocols:
1. the native protocol, carried over a WebSocket over TLS;
2. the WHIP ingress protocol, carried over HTTP over TLS;
3. a REST-like interface for administration, used by the "change password"
dialog and by the galenectl tool; hopefully, at some point somebody
will write a graphical administration tool (but it won't be me).
> 1. For instance, will third party clients often want CORS access to data
> like /public-groups.json?
Yes, they'll want to be able to display the list of public groups. They
might also want to allow a user to change their password.
-- Juliusz
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Galene] CORS help needed
@ 2024-11-03 8:59 Juliusz Chroboczek
2024-11-03 13:05 ` [Galene] " Alexandre IOOSS
0 siblings, 1 reply; 6+ messages in thread
From: Juliusz Chroboczek @ 2024-11-03 8:59 UTC (permalink / raw)
To: galene
Hello,
The administrative interface currently doesn't provide any CORS headers.
This means tha people cannot access it from third-party web sites, they
need to either integrate their code into Galene or use native clients.
This is https://github.com/jech/galene/issues/226
Currently, Galene has a very primitive CORS configuration: either
publicServer is not set in the config file, in which case no CORS headers
are produced, or publicServer is set, in which case CORS headers (and the
equivalent for the WebSocket protocol) allow unrestricted access to both
the native protocol and the WHIP ingress protocol.
In either case, the administrative interface is not affected.
Questions to the experts:
- should we be allowing CORS on the administrative interface, or is it
a security risk?
- should we have a single directive to control CORS, or should there be
separate directives for audio/video and for administration?
- shold it be a single boolean, as right now, or should the user be able
to specify a specific domain?
My current understanding is:
- we should allow CORS, but make it default to no;
- we should have two distinct directives;
- we shold allow specifying a domain, or even a small number of domains.
Thanks for your help,
-- Juliusz
^ permalink raw reply [flat|nested] 6+ messages in thread* [Galene] Re: CORS help needed
2024-11-03 8:59 [Galene] " Juliusz Chroboczek
@ 2024-11-03 13:05 ` Alexandre IOOSS
2024-11-04 10:24 ` Juliusz Chroboczek
0 siblings, 1 reply; 6+ messages in thread
From: Alexandre IOOSS @ 2024-11-03 13:05 UTC (permalink / raw)
To: Juliusz Chroboczek, galene
Hello,
On 11/3/24 09:59, Juliusz Chroboczek wrote:
>
> - should we be allowing CORS on the administrative interface, or is it
> a security risk?
> <snip>
>
> - shold it be a single boolean, as right now, or should the user be able
> to specify a specific domain?
>
> My current understanding is:
>
> - we should allow CORS, but make it default to no;
>
> - we should have two distinct directives;
>
> - we shold allow specifying a domain, or even a small number of domains.
My two cents on the subject: we shouldn't motivate to set
'Access-Control-Allow-Origin: *' anywhere.
Users might set CORS to '*' to have a working setup, but might not
realize that now example.com can request their Galène instance (even if
Galène is hosted on a private network).
IMHO, a explicit configuration with a whitelist of allowed domain is a
much better solution compared to a boolean.
>> - should we have a single directive to control CORS, or should there be
>> separate directives for audio/video and for administration?
Let's consider a previous setup I had with Galène in some student
organization:
- Domain A hosts a modified Galène frontend.
- Domain B hosts a vanilla Galène server behind a NGINX reverse proxy.
- Domain B uses some NGINX directives to manually add a CORS header to
allow domain A to query Galène.
In such scenario, if an attacker manage to get XSS on the custom
frontend (for example through a badly implemented chat box), I clearly
don't want them to be able to request the administrative endpoint. So
having separate directives is a safer choice.
Best,
--
Alexandre
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Galene] Re: CORS help needed
2024-11-03 13:05 ` [Galene] " Alexandre IOOSS
@ 2024-11-04 10:24 ` Juliusz Chroboczek
2024-11-04 10:41 ` Alexandre IOOSS
0 siblings, 1 reply; 6+ messages in thread
From: Juliusz Chroboczek @ 2024-11-04 10:24 UTC (permalink / raw)
To: Alexandre IOOSS; +Cc: galene
> In such scenario, if an attacker manage to get XSS on the custom frontend
> (for example through a badly implemented chat box), I clearly don't want
> them to be able to request the administrative endpoint. So having separate
> directives is a safer choice.
Okay, you've convinced me. What's the right syntax? A list of strings,
the server finds the first origin that matches and dynamically generates
a header for that specific origin?
-- Juliusz
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-11-04 11:52 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-11-03 18:21 [Galene] Re: CORS help needed Marty Betz
2024-11-03 19:43 ` Juliusz Chroboczek
-- strict thread matches above, loose matches on Subject: below --
2024-11-03 8:59 [Galene] " Juliusz Chroboczek
2024-11-03 13:05 ` [Galene] " Alexandre IOOSS
2024-11-04 10:24 ` Juliusz Chroboczek
2024-11-04 10:41 ` Alexandre IOOSS
2024-11-04 11:52 ` Juliusz Chroboczek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox