openbmc REST API has too permissive CORS policy
nishanths1992 at gmail.com
Thu Jan 23 12:50:20 AEDT 2020
The BMC REST API effectively allows cross-origin requests from any
domain to almost all URLs. If a user accesses the API from a browser, then
any other malicious website visited in that browser will be able to access
the REST API without the user's knowledge.
At line 1329 of rest_dbus.py , if the request contains an Origin header,
REST server adds that origin to the "Access-Control-Allow-Origin" of the
origin = request.headers.get('Origin')
* response.add_header('Access-Control-Allow-Origin', origin)
Browsers use the Access-Control-Allow-Origin header to determine which
other origins are allowed to send cross-origin requests to the REST API.
effectively allows all origins to send cross-origin requests. This header
applied to all property and method accesses through the API.
What is the significance of this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openbmc