mirror of
https://github.com/ipfs/kubo.git
synced 2026-03-07 01:08:08 +08:00
1b490476e5
This commit upgrades go-ipfs-cmds and configures the commands HTTP API Handler to only allow POST/OPTIONS, disallowing GET and others in the handling of command requests in the IPFS HTTP API (where before every type of request method was handled, with GET/POST/PUT/PATCH being equivalent). The Read-Only commands that the HTTP API attaches to the gateway endpoint will additional handled GET as they did before (but stop handling PUT,DELETEs). By limiting the request types we address the possibility that a website accessed by a browser abuses the IPFS API by issuing GET requests to it which have no Origin or Referrer set, and are thus bypass CORS and CSRF protections. This is a breaking change for clients that relay on GET requests against the HTTP endpoint (usually :5001). Applications integrating on top of the gateway-read-only API should still work (including cross-domain access). Co-Authored-By: Steven Allen <steven@stebalien.com> Co-Authored-By: Marcin Rataj <lidel@lidel.org> |
||
|---|---|---|
| .. | ||
| commands.go | ||
| corehttp.go | ||
| gateway_handler.go | ||
| gateway_indexPage.go | ||
| gateway_test.go | ||
| gateway.go | ||
| hostname_test.go | ||
| hostname.go | ||
| lazyseek_test.go | ||
| lazyseek.go | ||
| logs.go | ||
| metrics_test.go | ||
| metrics.go | ||
| mutex_profile.go | ||
| option_test.go | ||
| p2p_proxy_test.go | ||
| p2p_proxy.go | ||
| redirect.go | ||
| webui.go | ||