Created on 2021-02-03.14:45:11 by pokoli, last changed 1 week ago by reviewbot.
Here is the explanation of null origin: https://wiki.mozilla.org/Security/Origin#Selection_of_.22null.22_token
I get also this error now on FF.
I could track back this behavior change to https://bugzilla.mozilla.org/show_bug.cgi?id=1405971.
It seems that Chrome is also going to have this behavior.
As I said in msg64311, accept blindly null origin is not very good for security. So I propose to allow some routes to accept null origin. Those that we know could be accessed by webextension and doing mutable request.
I could reproduce by using directly from file:// or by loading temporary the addons from a directory. It seems that 'Origin: null' is when the page comes from the file system. Is it your case?
We could add 'null' as valid origin by default but I do not think it is a good security measure as user could be manipulated to open a crafted local file.
It works for me on the same firefox version.
For me 'null' as value for 'Origin' does not seem to be correct. Maybe there is a misconfiguration or a plugin that corrupt the request.
Since the upgrade to firefox 85, chronos is raising the following traceback when trying to talk to tryton:
Traceback (most recent call last):
File "/home/pokoli/projectes/nclone/trytond/trytond/protocols/wrappers.py", line 163, in wrapper
result = func(request, pool, *args, **kwargs)
File "/home/pokoli/projectes/nclone/trytond/trytond/protocols/wrappers.py", line 203, in wrapper
abort(HTTPStatus.FORBIDDEN)
File "/home/pokoli/.virtualenvs/nclone/lib/python3.9/site-packages/werkzeug/exceptions.py", line 822, in abort
return _aborter(status, *args, **kwargs)
File "/home/pokoli/.virtualenvs/nclone/lib/python3.9/site-packages/werkzeug/exceptions.py", line 807, in __call__
raise self.mapping[code](*args, **kwargs)
werkzeug.exceptions.Forbidden: 403 Forbidden: You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.
After some debugging i've discovered that the problem is that the request is send with 'null' as origin header.
As this value is not inside the cors allowed resources this causes a forbiden error on Tryton.
Not sure how we should fix this.
As a workarround, setting TRYTOND_WEB__CORS
enviornment variable to null
fixed the issue
History | |||
---|---|---|---|
Date | User | Action | Args |
2021-02-21 23:13:37 | reviewbot | set | messages: + msg64769 |
2021-02-18 16:35:46 | ced | set | messages: + msg64693 |
2021-02-18 16:35:17 | ced | set | component:
+ trytond, timesheet status: in-progress -> testing |
2021-02-18 16:34:35 | reviewbot | set | messages:
+ msg64692 nosy: + reviewbot |
2021-02-18 16:34:34 | reviewbot | set | keyword:
+ review reviews: 331931002 |
2021-02-18 16:30:23 | ced | set | assignedto: ced messages: + msg64690 status: chatting -> in-progress |
2021-02-04 19:08:38 | ced | set | messages: + msg64311 |
2021-02-03 15:18:26 | ced | set | messages:
+ msg64259 nosy: + ced status: unread -> chatting |
2021-02-03 14:45:11 | pokoli | create |
Showing 10 items. Show all history (warning: this could be VERY long)