Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth2 App enabled with CORS fix #28864

Merged
merged 1 commit into from
Aug 31, 2017
Merged

Conversation

noveens
Copy link
Contributor

@noveens noveens commented Aug 30, 2017

Description

I removed the beforeController logic here due to the change of handling CORS since PR #28457

According to previous implementation, CORS was only allowed with methods that had @PublicPage notation for preventing CSRF attacks.
But in the latest PR by me, the current implementations is as follows:

  • maintain a white-list of domains for whom CORS is enabled
  • This list can be viewed and edited under settings -> personal -> security

This implementation removes the need for @PublicPage.

Related Issue

#28860

How Has This Been Tested?

Tested by @SamuAlfageme
More testing required since I can't reproduce the issue.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@PVince81 @jesmrec @SamuAlfageme @Peter-Prochaska

@jesmrec
Copy link

jesmrec commented Aug 31, 2017

👍

@PVince81
Copy link
Contributor

@noveens also we made CORS allowed by default for all OCS endpoints.

Copy link
Contributor

@PVince81 PVince81 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@PVince81
Copy link
Contributor

@noveens please add this one to your backport PR

@PVince81
Copy link
Contributor

Jenkins slapped

@noveens
Copy link
Contributor Author

noveens commented Aug 31, 2017

@PVince81 ,

can you restart travis?

@phil-davis
Copy link
Contributor

phil-davis commented Aug 31, 2017

For Travis, you can click the "Details" link, select the job(s) that had a problem and press "restart".
I did that just now - there was only 1 job that had some dodgy error. It should pass when it gets run in the Travis queue.
and its happy now

@PVince81 PVince81 merged commit c1df3d4 into master Aug 31, 2017
@PVince81 PVince81 deleted the OAuth2_App_enabled_with_CORS_fix branch August 31, 2017 18:12
@DeepDiver1975
Copy link
Member

Are we fully droping the CORS annotation?
It is used by apps - e.g. https://github.com/owncloud/music/blob/735f7509a94048b38600d5a0995f6eabdfffb568/controller/settingcontroller.php#L96

Please verify that this is still working - and dev docs need to be updated

@DeepDiver1975
Copy link
Member

@PVince81
Copy link
Contributor

PVince81 commented Sep 1, 2017

@noveens please verify.

I suspect that even if the annotation is set, it will not break as CORS is enabled by default. Better check though to avoid surprises.

@noveens
Copy link
Contributor Author

noveens commented Sep 1, 2017

@DeepDiver1975 @PVince81 ,

We are not dropping the @CORS notation, In fact it is being used in the core server as well.
We are integrating the @CORS notation with the domain whitelisting management.

Like all the methods with @CORS would not have CORS for all domains but only the ones which have been whitelisted by the user.

@lock
Copy link

lock bot commented Aug 2, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants