coosld/kubo
1
0
Fork 0
mirror of https://github.com/ipfs/kubo.git synced 2026-02-21 10:27:46 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fix: remove use of Clear-Site-Data

Browse Source 
We used Clear-Site-Data to cushion transition period for local gateway
exposed at http://localhost while we were still figuring out
security-related details.

In the final implementation subdomain gateways are not tied to a
hostname explicitly, which removes the risk of cookies leaking,
removing the need for the header.

Turns out it causes issues for Firefox users, so let's just remove it.

Closes https://github.com/ipfs-shipyard/ipfs-companion/issues/977
This commit is contained in:
Marcin Rataj 2021-01-29 22:08:16 +01:00
parent 884a5aebd7
commit d61ae2bcb4
No known key found for this signature in database
GPG Key ID: 222B6784D5A79E42
3 changed files with 0 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
core/corehttp/hostname.go
View File

@ -97,15 +97,6 @@ func HostnameOption() ServeOption {
return
}
if newURL != "" {
// Just to be sure single Origin can't be abused in
// web browsers that ignored the redirect for some
// reason, Clear-Site-Data header clears browsing
// data (cookies, storage etc) associated with
// hostname's root Origin
// Note: we can't use "*" due to bug in Chromium:
// https://bugs.chromium.org/p/chromium/issues/detail?id=898503
w.Header().Set("Clear-Site-Data", "\"cookies\", \"storage\"")
// Set "Location" header with redirect destination.
// It is ignored by curl in default mode, but will
// be respected by user agents that follow

1
docs/config.md
View File

@ -653,7 +653,6 @@ between content roots.
}
}
```
<!-- **(not implemented yet)** due to the lack of Origin isolation, cookies and storage on `Paths` will be disabled by [Clear-Site-Data](https://github.com/ipfs/in-web-browsers/issues/157) header -->
Default: `false`

7
test/sharness/t0114-gateway-subdomains.sh
View File

@ -181,13 +181,6 @@ test_localhost_gateway_response_should_contain \
"http://localhost:$GWAY_PORT/ipfs/$DIR_CID/" \
"Location: http://$DIR_CID.ipfs.localhost:$GWAY_PORT/"
# Responses to the root domain of subdomain gateway hostname should Clear-Site-Data
# https://github.com/ipfs/go-ipfs/issues/6975#issuecomment-597472477
test_localhost_gateway_response_should_contain \
"request for localhost/ipfs/{CIDv1} returns Clear-Site-Data header to purge Origin cookies and storage" \
"http://localhost:$GWAY_PORT/ipfs/$CIDv1" \
'Clear-Site-Data: \"cookies\", \"storage\"'
# We return body with HTTP 301 so existing cli scripts that use path-based
# gateway do not break (curl doesn't auto-redirect without passing -L; wget
# does not span across hostnames by default)