Phosphor Web-ui: Server unreachable

Tanous, Ed ed.tanous at intel.com
Wed Aug 8 00:24:34 AEST 2018


This a security measure in bmcweb to prevent cross site scripting.  If you’re running phosphor-webui from another machine, you’re essentially running cross site scripting as a development measure, which is exactly what the BMC sees, and the browser squashes the request as a suspected XSS attack.

The easiest way to make this work for testing is to go to this file:
https://github.com/openbmc/bmcweb/blob/master/include/security_headers_middleware.hpp

and comment out lines 42-44, which set headers to prevent the bmc squashing the request.

It’s been a while since I’ve developed like that, but you likely also need to add a couple headers as well
req.addHeader(“Access-Control-Allow-Origin”, “*”);
req.addHeader(“Access-Control-Allow-Methods”, “GET, POST, PUT, PATCH”);

I know you’re not the first person to hit this unexpectedly.  If you get a header recipe that allows development, it would be great if you could codify it into an option called BMC_INSECURE_ALLOW_XSS, add it to the build configuration, and put it up for a gerrit review;  I’m fairly certain it would help others.

-Ed

From: AKASH G J [mailto:akashgj91 at gmail.com]
Sent: Tuesday, August 7, 2018 3:13 AM
To: Tanous, Ed <ed.tanous at intel.com>
Cc: openbmc at lists.ozlabs.org
Subject: Re: Phosphor Web-ui: Server unreachable

Hi Ed,

Sorry for the late reply. I was on leave for last week.

I am hosting phosphor-webui on a different machine and trying to connect the BMC board using its IP address. I am using bmcweb platform. When I tried to login, the following message appeared in browser console.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://<BMC-IP>/login<https://%3cBMC-IP%3e/login>. (Reason: CORS request did not succeed).
<unavailable> activity-stream.bundle.js:3170:9
CSI/tbsd_ cb=gapi.loaded_0:458:127
CSI/_tbnd cb=gapi.loaded_0:458:127
CSI/tbsd_ cb=gapi.loaded_0:458:127
CSI/_tbnd cb=gapi.loaded_0:458:127



Thanks and Regards,

Akash

On Mon, Jul 30, 2018 at 11:06 PM, Ed Tanous <ed.tanous at intel.com<mailto:ed.tanous at intel.com>> wrote:
On 07/30/2018 05:04 AM, AKASH G J wrote:
Hi Team,

I added phosphor-webui into the Linux image and set up client side of the web interface. In the client side of web interface I could able to give the IP address, username and password. After entering all those details, it is showing "server unreachable". But I could able to ping the server board and ssh into the system. Please someone help to resolve the problem.



Thanks and Regards,

Akash G J

We need some basic information to help you troubleshoot.  You might also find faster responses on irc;  Most of the people involved in the web infrastructure are online there.

1. What platform are you using?
2. If not one of the upstream platforms, which web server is your platform using?  (probably one of phosphor-rest, bmcweb, or phosphor-rest+nginx)
3. When you open up the debugger window in your chosen browser (usually the F12 key) then go to the network tab and attempt to log in, what do you see?  You should see an attempt to get to the /login url, with some kind of error code (maybe 401, maybe 500, maybe something else).  We'll need that to help troubleshoot.
4. Is there anything else strange about your setup that you might think would contribute to your issue?
5. Are you hosting phosphor-webui from a different machine from the BMC.  Depending on what server you are using, there are likely security settings preventing cross site scripting that are blocking you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20180807/041f4a85/attachment.html>


More information about the openbmc mailing list