Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DevToolbar] Guard /iframe/ & /login-success/ pages against disallowed referer origins #77214

Open
ryan953 opened this issue Sep 9, 2024 · 3 comments · May be fixed by #77756
Open

[DevToolbar] Guard /iframe/ & /login-success/ pages against disallowed referer origins #77214

ryan953 opened this issue Sep 9, 2024 · 3 comments · May be fixed by #77756

Comments

@ryan953
Copy link
Member

ryan953 commented Sep 9, 2024
edited
Loading

The /toolbar/:org/:project/iframe/ view (not /login-success/) page should check that the referer header matches with the list of saved "Allowed Origins" within the project settings. This happens after the user is logged in.

We have the project url parameter, so we should be able to lookup the allow list. Project name/slug/id should all be supported in the url. Wildcard subdomains are possible in the allowlist, the port must match too if specified.

If the domain is allowed then we'll pass a variable into the template to indicate that. domain_is_allowed = True
Else, if the domain is not allowed, then the variable will be set to something else. domain_is_allowed = True

The specific variable doesn't super matter, what matters is:

  • we're doing the check
  • can see the result of the check in the template

In the future we might have two templates, one for each case. But at this point there's no need.

Depends on #77213
@ryan953 ryan953 mentioned this issue Sep 16, 2024
Open
@aliu39
Copy link
Member

aliu39 commented Sep 17, 2024

Relates to #77577

@aliu39
Copy link
Member

aliu39 commented Sep 17, 2024

Depends on #77213

@aliu39
Copy link
Member

aliu39 commented Sep 17, 2024

Dup of https://github.com/getsentry/sentry-toolbar/issues/5

@aliu39 aliu39 linked a pull request Sep 18, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ref(toolbar): check allowed origins in iframe view getsentry/sentry
2 participants
@ryan953 @aliu39