Issue 10058

Title
Forbiden Error since update to firefox 85
Priority
bug
Status
resolved
Nosy list
ced, pokoli, reviewbot, roundup-bot
Assigned to
ced
Keywords
review

Created on 2021-02-03.14:45:11 by pokoli, last changed 2 months ago by roundup-bot.

Messages

New changeset fd563d05b1bd by Cédric Krier in branch 'default':
Add route wrapper to allow null origin
https://hg.tryton.org/tryton-env/rev/fd563d05b1bd
New changeset 340454839b57 by Cédric Krier in branch 'default':
Add route wrapper to allow null origin
https://hg.tryton.org/trytond/rev/340454839b57
New changeset 0a5d5fdb385f by Cédric Krier in branch 'default':
Allow null origin for timesheet user application
https://hg.tryton.org/modules/timesheet/rev/0a5d5fdb385f
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2021-02-18.16:35:46
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2021-02-18.16:30:23

I get also this error now on FF.
I could track back this behavior change to https://bugzilla.mozilla.org/show_bug.cgi?id=1405971.
It seems that Chrome is also going to have this behavior.
As I said in msg64311, accept blindly null origin is not very good for security. So I propose to allow some routes to accept null origin. Those that we know could be accessed by webextension and doing mutable request.

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2021-02-04.19:08:38

I could reproduce by using directly from file:// or by loading temporary the addons from a directory. It seems that 'Origin: null' is when the page comes from the file system. Is it your case?
We could add 'null' as valid origin by default but I do not think it is a good security measure as user could be manipulated to open a crafted local file.

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2021-02-03.15:18:26

It works for me on the same firefox version.
For me 'null' as value for 'Origin' does not seem to be correct. Maybe there is a misconfiguration or a plugin that corrupt the request.

Author: [hidden] (pokoli) Tryton committer Tryton translator
Date: 2021-02-03.14:45:11

Since the upgrade to firefox 85, chronos is raising the following traceback when trying to talk to tryton:

Traceback (most recent call last):
  File "/home/pokoli/projectes/nclone/trytond/trytond/protocols/wrappers.py", line 163, in wrapper
    result = func(request, pool, *args, **kwargs)
  File "/home/pokoli/projectes/nclone/trytond/trytond/protocols/wrappers.py", line 203, in wrapper
    abort(HTTPStatus.FORBIDDEN)
  File "/home/pokoli/.virtualenvs/nclone/lib/python3.9/site-packages/werkzeug/exceptions.py", line 822, in abort
    return _aborter(status, *args, **kwargs)
  File "/home/pokoli/.virtualenvs/nclone/lib/python3.9/site-packages/werkzeug/exceptions.py", line 807, in __call__
    raise self.mapping[code](*args, **kwargs)
werkzeug.exceptions.Forbidden: 403 Forbidden: You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.

After some debugging i've discovered that the problem is that the request is send with 'null' as origin header.
As this value is not inside the cors allowed resources this causes a forbiden error on Tryton.

Not sure how we should fix this.

As a workarround, setting TRYTOND_WEB__CORS enviornment variable to null fixed the issue

History
Date User Action Args
2021-03-07 10:01:56roundup-botsetmessages: + msg65212
2021-03-07 10:01:52roundup-botsetmessages: + msg65211
2021-03-07 10:01:51roundup-botsetmessages: + msg65210
nosy: + roundup-bot
status: testing -> resolved
2021-02-21 23:13:37reviewbotsetmessages: + msg64769
2021-02-18 16:35:46cedsetmessages: + msg64693
2021-02-18 16:35:17cedsetcomponent: + trytond, timesheet
status: in-progress -> testing
2021-02-18 16:34:35reviewbotsetmessages: + msg64692
nosy: + reviewbot
2021-02-18 16:34:34reviewbotsetkeyword: + review
reviews: 331931002
2021-02-18 16:30:23cedsetassignedto: ced
messages: + msg64690
status: chatting -> in-progress
2021-02-04 19:08:38cedsetmessages: + msg64311

Showing 10 items. Show all history (warning: this could be VERY long)