openbmc REST API has too permissive CORS policy

Joseph Reynolds jrey at
Fri Jan 24 04:42:47 AEDT 2020

On 1/22/20 7:50 PM, Nishanth S wrote:
> Hi All,
>      The BMC REST API effectively allows cross-origin requests from 
> any domain to almost all URLs. If a user accesses the API from a 
> browser, then any other malicious website visited in that browser will 
> be able to access the REST API without the user's knowledge.
> At line 1329 of [1], if the request contains an Origin 
> header, the
> REST server adds that origin to the "Access-Control-Allow-Origin" of the
> response:
>     def process_origin():
>         origin = request.headers.get('Origin')
>         if origin:
> *response.add_header('Access-Control-Allow-Origin', origin)
> response.add_header('Access-Control-Allow-Credentials', 'true')*
> Browsers use the Access-Control-Allow-Origin header to determine which 
> other origins are allowed to send cross-origin requests to the REST 
> API. This
> effectively allows all origins to send cross-origin requests. This 
> header is
> applied to all property and method accesses through the API.
>     What is the significance of this?

Thanks for your email!  You are referring to older web server.  You 
included a reference ("[1]") but I didn't see a link.  I assume:

The OpenBMC project has moved to BMCWeb (
BMCWeb uses OWASP recommendations for HTTP request and response 
headers.  See:

In particular, the default BMCWeb Content-Security-Policyincludes 
default-src 'none', so CORS is not allowed.  You can build BMCweb with 
website off of the BMC (as some folks do for testing) or perform CORS in 
your secure environment.  For other uses, you're free to change the 
headers in your downstream implementation or discuss in the mailing list.

If you are using the old REST server, I would encourage you to move up 
to BMCWeb.  I am not aware of any maintenance on the phosphor rest server.

- Joseph

> Thank you,
> Nishanth

More information about the openbmc mailing list