[2.7][WebProfilerBundle] Fix CORS ajax security issues #18413
Conversation
| @@ -45,6 +45,7 @@ public function getConfigTreeBuilder() | ||
| ->end() | ||
| ->end() | ||
| ->booleanNode('intercept_redirects')->defaultFalse()->end() | ||
| ->booleanNode('enable_cors')->defaultFalse()->end() |
There was a problem hiding this comment.
Any downside to always enable it?
There was a problem hiding this comment.
No downside, even if you're doing cross domain calls without exposing the related headers. However, you'll have security logs in your console.
This should be enabled if you're doing cross domain calls on Symfony apps that enabled cors and have been configured to expose these headers through CORS. Moreover, even if you do that, I'm not sure you would be able to display profiles (to be tested)
There was a problem hiding this comment.
Oh, I just realized I read your comment to fast :) Of course, it's better to enable it by default, I'm gonna update this
cd33ed0 to
cc11f26
Compare
|
PR updated, comments addressed |
|
Same issue in 2.8 |
|
@kroshp All fixes will be merged up to all maintained branches after being merged into the lowest affected branch. |
| @@ -40,8 +40,9 @@ class WebDebugToolbarListener implements EventSubscriberInterface | ||
| protected $mode; | ||
| protected $position; | ||
| protected $excludedAjaxPaths; | ||
| protected $enableCors; |
There was a problem hiding this comment.
should be private (even if older properties are not for legacy reasons)
|
is there a way in JS to check whether a header can be accessed according to the CORS rules, to be able to fallback ? It would be great to avoid this configuration setting entirely, and just remove it from the display (or display it in a special way) when the token cannot be retrieved due to CORS restrictions |
|
btw, a try/catch around the statement reading the header might be an acceptable way to implement the fallback if there is no better one. |
|
I just tried to detect if we had access to these headers in CORS using Please note that these are not exception but Browser security warnings. You can try/catch these warnings but they still appear in the console. I'm not in favor of adding a new configuration, so this PR is stalled while we found something better :/ |
cc11f26 to
9b67024
Compare
|
I'm a bit stuck with this here... |
|
@romainneutron have to tried to ask on SO to get some help from the JS community ? |
…equest occured from another domain (romainneutron) This PR was merged into the 2.7 branch. Discussion ---------- [2.7][WebProfilerBunde] Give an absolute url in case the request occured from another domain | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | n/a | License | MIT | Doc PR | n/a This is related to #18413: Using two symfony application ProjectA and MicroServiceB, if ProjectA issues XHR to MicroServiceB and both have the WebProfilerBundle enabled, then Ajax requests will be monitored in ProjectA. But - at the moment - it will try to look for profiles under ProjectA domain whereas data are stored on MicroServiceB domain. This PR fixes this issue Commits ------- 1a5d4ad [WebProfilerBunde] Give an absolute url in case the request occured from another domain
|
Could why just avoid checking the headers entirely (and therefore showing the profiler link) when the AJAX request is for another domain? As nice as it is to show a profiler link that's coming from another Symfony app on some other domain, I'm not sure it's necessary - I'd expect the profiler link only for AJAX requests that are coming from this application. |
|
I like @weaverryan 's idea, WDYT? |
|
@weaverryan But that would mean that AJAX requests to the same application but with another domain also wouldn't be displayed, right? If so this is a BC break to me as someone might already rely on it (you could serve your internal API with a different domain for whatever reason for example). |
|
@weaverryan this would not be very convenient if you have an app hitting your API hosted on a different domain. |
|
@romainneutron can you try using |
|
@romainneutron I confirm you that |
|
though it returns a string representation of HTTP headers, so you will need to extract the header from it. |
|
or simpler: use the regex only to know whether the Symfony headers are exposed, and then use |
|
@stof thanks for the hint! I'll try this asap |
7b83000 to
20a26ee
Compare
|
PR has been updated, ready for review |
| if (ret = allHeaders.match(/^x-debug-token-link:\s+(.*)$/im)) { | ||
| stackElement.profilerUrl = ret[1]; | ||
| } | ||
| } |
There was a problem hiding this comment.
good catch, fixed
20a26ee to
cccc420
Compare
cccc420 to
f8dd87d
Compare
|
👍 |
|
Thank you @romainneutron. |
…mainneutron) This PR was merged into the 2.7 branch. Discussion ---------- [2.7][WebProfilerBundle] Fix CORS ajax security issues | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | N/A | License | MIT | Doc PR | N/A The WebProfiler toolbar monitors ajax requests. However, when using cross domain ajax requests, it triggers a security issues `Refused to get unsafe header "X-Debug-Token"` `Refused to get unsafe header "X-Debug-Token-Link"` because if the other app is not a Symfony App configured to expose these headers in CORS.  This fixes the issue. It adds a new configuration node to explicitly activate it on purpose. Commits ------- f8dd87d [WebProfilerBundle] Fix CORS ajax security issues
This PR was merged into the 2.7 branch. Discussion ---------- Fix js comment in profiler | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | | License | MIT | Doc PR | Single line comment introduced in #18413 causes the toolbar to fail to load with a syntax error. Commits ------- 91a2f5d Fix js comment in profiler
The WebProfiler toolbar monitors ajax requests. However, when using cross domain ajax requests, it triggers a security issues
Refused to get unsafe header "X-Debug-Token"Refused to get unsafe header "X-Debug-Token-Link"because if the other app is not a Symfony App configured to expose these headers in CORS.This fixes the issue. It adds a new configuration node to explicitly activate it on purpose.