Issue 10058

Title
Forbiden Error since update to firefox 85
Priority
bug
Status
testing
Nosy list
ced, pokoli, reviewbot
Assigned to
ced
Keywords
review

Created on 2021-02-03.14:45:11 by pokoli, last changed 1 week ago by reviewbot.

Messages

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2021-02-18.16:35:46
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2021-02-18.16:30:23

I get also this error now on FF.
I could track back this behavior change to https://bugzilla.mozilla.org/show_bug.cgi?id=1405971.
It seems that Chrome is also going to have this behavior.
As I said in msg64311, accept blindly null origin is not very good for security. So I propose to allow some routes to accept null origin. Those that we know could be accessed by webextension and doing mutable request.

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2021-02-04.19:08:38

I could reproduce by using directly from file:// or by loading temporary the addons from a directory. It seems that 'Origin: null' is when the page comes from the file system. Is it your case?
We could add 'null' as valid origin by default but I do not think it is a good security measure as user could be manipulated to open a crafted local file.

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2021-02-03.15:18:26

It works for me on the same firefox version.
For me 'null' as value for 'Origin' does not seem to be correct. Maybe there is a misconfiguration or a plugin that corrupt the request.

Author: [hidden] (pokoli) Tryton committer Tryton translator
Date: 2021-02-03.14:45:11

Since the upgrade to firefox 85, chronos is raising the following traceback when trying to talk to tryton:

Traceback (most recent call last):
  File "/home/pokoli/projectes/nclone/trytond/trytond/protocols/wrappers.py", line 163, in wrapper
    result = func(request, pool, *args, **kwargs)
  File "/home/pokoli/projectes/nclone/trytond/trytond/protocols/wrappers.py", line 203, in wrapper
    abort(HTTPStatus.FORBIDDEN)
  File "/home/pokoli/.virtualenvs/nclone/lib/python3.9/site-packages/werkzeug/exceptions.py", line 822, in abort
    return _aborter(status, *args, **kwargs)
  File "/home/pokoli/.virtualenvs/nclone/lib/python3.9/site-packages/werkzeug/exceptions.py", line 807, in __call__
    raise self.mapping[code](*args, **kwargs)
werkzeug.exceptions.Forbidden: 403 Forbidden: You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.

After some debugging i've discovered that the problem is that the request is send with 'null' as origin header.
As this value is not inside the cors allowed resources this causes a forbiden error on Tryton.

Not sure how we should fix this.

As a workarround, setting TRYTOND_WEB__CORS enviornment variable to null fixed the issue

History
Date User Action Args
2021-02-21 23:13:37reviewbotsetmessages: + msg64769
2021-02-18 16:35:46cedsetmessages: + msg64693
2021-02-18 16:35:17cedsetcomponent: + trytond, timesheet
status: in-progress -> testing
2021-02-18 16:34:35reviewbotsetmessages: + msg64692
nosy: + reviewbot
2021-02-18 16:34:34reviewbotsetkeyword: + review
reviews: 331931002
2021-02-18 16:30:23cedsetassignedto: ced
messages: + msg64690
status: chatting -> in-progress
2021-02-04 19:08:38cedsetmessages: + msg64311
2021-02-03 15:18:26cedsetmessages: + msg64259
nosy: + ced
status: unread -> chatting
2021-02-03 14:45:11pokolicreate

Showing 10 items. Show all history (warning: this could be VERY long)