Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add __amp_source_origin to amp-form non-xhr action and update example. #4546

Merged
merged 9 commits into from
Aug 19, 2016
Merged

Add __amp_source_origin to amp-form non-xhr action and update example. #4546

merged 9 commits into from
Aug 19, 2016

Conversation

mkhatib
Copy link
Contributor

@mkhatib mkhatib commented Aug 16, 2016
edited
Loading

Follow up to #4485 and part of security review for amp-form.

ITI: #3343

jridgewell
jridgewell reviewed Aug 16, 2016
View reviewed changes
extensions/amp-form/0.1/amp-form.js
// Update the form non-xhr action to add `__amp_source_origin` parameter.
// This allows publishers to understand where the request is coming from.
const action = this.form_.getAttribute('action');
user().assert(action, 'form action is required: %s',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be in the validator instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's in the validator, but I think we also like to do validation here for an early error indicator.

@mkhatib
Copy link
Contributor Author

mkhatib commented Aug 17, 2016

PTAL

@mkhatib mkhatib force-pushed the amp-form-cors-server-example branch from f175980 to f1ed185 Compare August 17, 2016 20:04
@mkhatib mkhatib force-pushed the amp-form-cors-server-example branch from f1ed185 to d6c1ba8 Compare August 17, 2016 20:38
@mkhatib
Copy link
Contributor Author

mkhatib commented Aug 18, 2016

PTAL

dvoytenko
dvoytenko reviewed Aug 18, 2016
View reviewed changes
src/document-submit.js
const action = form.getAttribute('action');
user().assert(action, 'form action attribute is required: %s', form);
assertHttpsUrl(action, form, 'action');
user().assert(!startsWith(action, urls.cdn),
'form action should not be on AMP CDN: %s', form);
// Update the form non-xhr action to add `__amp_source_origin` parameter.
// This allows publishers to understand where the request is coming from.
if (action.indexOf('__amp_source_origin=') == -1) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to overwrite the existing __amp_source_origin, or fail, to avoid someone trying to pretend to have request from another origin.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess override then cause otherwise it'll error with every time it'll try to subsequently submit.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@dvoytenko
Copy link
Contributor

LGTM. Except for the issue with overriding the param - that's important.

@mkhatib
Copy link
Contributor Author

mkhatib commented Aug 18, 2016

@dvoytenko mind taking one last look 👀 with the last change?

molnarg
molnarg reviewed Aug 18, 2016
View reviewed changes
build-system/server.js
@@ -79,7 +79,28 @@ app.use('/api/echo/post', function(req, res) {
res.end(JSON.stringify(req.body, null, 2));
});

const ORIGIN_REGEX = new RegExp('^http://localhost:8000|' +
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a comment saying that in practice, this would be *.ampproject.org and the publisher's origin.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Mohammad Khatib added 2 commits August 18, 2016 09:35
@mkhatib
Copy link
Contributor Author

mkhatib commented Aug 18, 2016

@dvoytenko re-wrote the override logic as discussed. Let me know if this looks good. 👀

@dvoytenko
Copy link
Contributor

LGTM

@mkhatib mkhatib merged commit 9b49260 into ampproject:master Aug 19, 2016
@mkhatib mkhatib deleted the amp-form-cors-server-example branch August 19, 2016 00:17
ariangibson pushed a commit to Mixpo/amphtml that referenced this pull request Sep 7, 2016
@mkhatib @ariangibson
Add __amp_source_origin to amp-form non-xhr action and update example. (
902be76 
ampproject#4546)
mityaha pushed a commit to ooyala/amphtml that referenced this pull request Nov 30, 2016
@mkhatib @mityaha
Add __amp_source_origin to amp-form non-xhr action and update example. (
839dca5 
ampproject#4546)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@dvoytenko dvoytenko

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mkhatib @dvoytenko @jridgewell @erwinmombay @molnarg