Skip to content

charts/nginz: Add restrictive CORS headers to all URLs and explicitly… #1630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jan 26, 2022
Merged

charts/nginz: Add restrictive CORS headers to all URLs and explicitly… #1630

merged 6 commits into from
Jan 26, 2022

Conversation

arianvp
Copy link
Contributor

@arianvp arianvp commented Jun 28, 2021
edited
Loading

Add restrictive CORS headers to all origins and explicitly allowlist allowed origins

There is no reason not to have restrictive CORS on all endpoints; given
our API is currently only consumed by known services. We can loosen this
restriction again in the future (e.g. when we have something like OAuth
integration).

We also move to an explicit allowlist instead of trusting the entirety
of external_env_domain. Especially on-prem people might have many more
services running on their base domain and we as Wire have no control
over it. We do not want other services not in our control to be a vector
for e.g. XSS attacks. Hence we require the user of our charts to
explicitly allowlist all the expected origins. We will update the docs
to guide people into making this update if needed.

Checklist

  • Title of this PR explains the impact of the change.
  • The description provides context as to why the change should occur and what the code contributes to that effect. This could also be a link to a JIRA ticket or a Github issue, if there is one.
  • The CHANGELOG.md file in the Unreleased section has been updated to explain the change which will be included in the release notes.
  • If a component uses a new or changed internal endpoint of another component, this is mentioned in the CHANGELOG.md.
  • If this PR creates a new endpoint, or adds a new configuration flag, the endpoint / config-flag checklist (see Wire-employee only backend wiki page) has been followed.

@arianvp arianvp force-pushed the allowlist_explicit branch 2 times, most recently from 208c7b5 to 4bc520b Compare June 28, 2021 08:57
@arianvp
Copy link
Contributor Author

arianvp commented Jun 28, 2021
edited
Loading

Will have to test this, and write extensive CHANGELOG entry before merging this.

We also have to update the wire installation docs so that new users are sure to not forget this!

To be changed:

@arianvp arianvp force-pushed the allowlist_explicit branch from 4bc520b to b542f13 Compare July 7, 2021 13:44
@arianvp arianvp marked this pull request as ready for review July 7, 2021 13:49
franziskuskiefer
franziskuskiefer approved these changes Jul 12, 2021
View reviewed changes
Copy link
Contributor

@franziskuskiefer franziskuskiefer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@arianvp
Copy link
Contributor Author

arianvp commented Jul 16, 2021

Needs rebase

@arianvp arianvp closed this Sep 14, 2021
@arianvp arianvp reopened this Sep 14, 2021
@arianvp
Copy link
Contributor Author

arianvp commented Sep 14, 2021

@jmatsushita this is ready for another review

arianvp and others added 5 commits December 21, 2021 12:59
@arianvp @sysvinit
charts/nginz: Add restrictive CORS headers to all origins and explici…
724ae52 
…tly allowlist allowed origins

There is no reason not to have restrictive CORS on all endpoints; given
our API is currently only consumed by internal services that we know
apriori. We can loosen this restriction again in the future (e.g. when
we have something like OAuth
integration).

We also move to an explicit allowlist instead of trusting the entirety
of `external_env_domain`. Especially on-prem people might have many more
services running on their base domain and we as Wire have no control
over it. We do not want other services not in our control to be a vector
for e.g. XSS attacks. Hence we require the user of our charts to
explicitly allowlist all the expected origins.  We will update the docs
to guide people into making this update.
@arianvp @sysvinit
charts/nginz: Set some default allowlisted origins
47b64b2 
If people needs to adjust the subdomains, they can override them in
their values.yaml

But this makes sure things just 'work' out of the box in common case
@arianvp @sysvinit
Update changelog
5e97105
@sysvinit
Spelling and style fixes in changelog.
7d8f07e
@sysvinit
charts/nginz: fix fail-open behaviour in CORS configuration.
e9a5516 
The previous commits adding CORS configuration set the access control header
to unconditionally return the Origin header sent with the request. This would
cause fail-open behaviour, where any Origin sent by a client would be allowed.

Instead, the $cors_header variable is used, as this is specifically set based
on the request Origin header so that only origins which are explicitly in the
Helm chart's allow list configuration may make cross-origin requests to nginz
API endpoints.
@sysvinit sysvinit force-pushed the allowlist_explicit branch from 19a9865 to e9a5516 Compare January 3, 2022 08:39
@sysvinit sysvinit requested review from jschaul and flokli and removed request for jmatsushita January 3, 2022 08:39
jschaul
jschaul approved these changes Jan 26, 2022
View reviewed changes
Copy link
Member

@jschaul jschaul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor change: we use and have been using 'account' (without s) everywhere in docs.wire.com and our own environments (except for accounts.wire.com - here we can do an override)

Looks fine, let's merge and deploy this to some of our environments.

Could you, after merging this, also add this to wire-docs somewhere?

@sysvinit sysvinit merged commit 1753b79 into develop Jan 26, 2022
@sysvinit sysvinit deleted the allowlist_explicit branch January 26, 2022 13:51
@smatting smatting mentioned this pull request Jan 26, 2022
Merged
@fisx fisx mentioned this pull request Jan 27, 2022
Merged
@supersven supersven mentioned this pull request Apr 13, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jschaul jschaul jschaul approved these changes

@arthurwolf arthurwolf Awaiting requested review from arthurwolf

@flokli flokli Awaiting requested review from flokli

+2 more reviewers

@sysvinit sysvinit sysvinit left review comments

@franziskuskiefer franziskuskiefer franziskuskiefer approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@arianvp @franziskuskiefer @jschaul @sysvinit