openbmc REST API has too permissive CORS policy

Nishanth S nishanths1992 at
Thu Jan 23 12:50:20 AEDT 2020

Hi All,

     The BMC REST API effectively allows cross-origin requests from any
domain to almost all URLs. If a user accesses the API from a browser, then
any other malicious website visited in that browser will be able to access
the REST API without the user's knowledge.

At line 1329 of [1], if the request contains an Origin header,
REST server adds that origin to the "Access-Control-Allow-Origin" of the

    def process_origin():
        origin = request.headers.get('Origin')
        if origin:

*            response.add_header('Access-Control-Allow-Origin', origin)
        response.add_header('Access-Control-Allow-Credentials', 'true')*

Browsers use the Access-Control-Allow-Origin header to determine which
other origins are allowed to send cross-origin requests to the REST API.
effectively allows all origins to send cross-origin requests. This header
applied to all property and method accesses through the API.

    What is the significance of this?

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openbmc mailing list