Issue 10058
- Title
- Forbiden Error since update to firefox 85
- Priority
- bug
- Status
- resolved
- Nosy list
- ced, pokoli, reviewbot, roundup-bot
- Assigned to
- ced
- Keywords
- review
Created on 2021-02-03.14:45:11 by pokoli, last changed 2 months ago by roundup-bot.
Messages
New changeset fd563d05b1bd by Cédric Krier in branch 'default': Add route wrapper to allow null origin https://hg.tryton.org/tryton-env/rev/fd563d05b1bd
New changeset 340454839b57 by Cédric Krier in branch 'default': Add route wrapper to allow null origin https://hg.tryton.org/trytond/rev/340454839b57
New changeset 0a5d5fdb385f by Cédric Krier in branch 'default': Allow null origin for timesheet user application https://hg.tryton.org/modules/timesheet/rev/0a5d5fdb385f
Here is the explanation of null origin: https://wiki.mozilla.org/Security/Origin#Selection_of_.22null.22_token
I get also this error now on FF.
I could track back this behavior change to https://bugzilla.mozilla.org/show_bug.cgi?id=1405971.
It seems that Chrome is also going to have this behavior.
As I said in msg64311, accept blindly null origin is not very good for security. So I propose to allow some routes to accept null origin. Those that we know could be accessed by webextension and doing mutable request.
I could reproduce by using directly from file:// or by loading temporary the addons from a directory. It seems that 'Origin: null' is when the page comes from the file system. Is it your case?
We could add 'null' as valid origin by default but I do not think it is a good security measure as user could be manipulated to open a crafted local file.
It works for me on the same firefox version.
For me 'null' as value for 'Origin' does not seem to be correct. Maybe there is a misconfiguration or a plugin that corrupt the request.
Since the upgrade to firefox 85, chronos is raising the following traceback when trying to talk to tryton:
Traceback (most recent call last):
File "/home/pokoli/projectes/nclone/trytond/trytond/protocols/wrappers.py", line 163, in wrapper
result = func(request, pool, *args, **kwargs)
File "/home/pokoli/projectes/nclone/trytond/trytond/protocols/wrappers.py", line 203, in wrapper
abort(HTTPStatus.FORBIDDEN)
File "/home/pokoli/.virtualenvs/nclone/lib/python3.9/site-packages/werkzeug/exceptions.py", line 822, in abort
return _aborter(status, *args, **kwargs)
File "/home/pokoli/.virtualenvs/nclone/lib/python3.9/site-packages/werkzeug/exceptions.py", line 807, in __call__
raise self.mapping[code](*args, **kwargs)
werkzeug.exceptions.Forbidden: 403 Forbidden: You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.
After some debugging i've discovered that the problem is that the request is send with 'null' as origin header.
As this value is not inside the cors allowed resources this causes a forbiden error on Tryton.
Not sure how we should fix this.
As a workarround, setting TRYTOND_WEB__CORS enviornment variable to null fixed the issue
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2021-03-07 10:01:56 | roundup-bot | set | messages: + msg65212 |
| 2021-03-07 10:01:52 | roundup-bot | set | messages: + msg65211 |
| 2021-03-07 10:01:51 | roundup-bot | set | messages:
+ msg65210 nosy: + roundup-bot status: testing -> resolved |
| 2021-02-21 23:13:37 | reviewbot | set | messages: + msg64769 |
| 2021-02-18 16:35:46 | ced | set | messages: + msg64693 |
| 2021-02-18 16:35:17 | ced | set | component:
+ trytond, timesheet status: in-progress -> testing |
| 2021-02-18 16:34:35 | reviewbot | set | messages:
+ msg64692 nosy: + reviewbot |
| 2021-02-18 16:34:34 | reviewbot | set | keyword:
+ review reviews: 331931002 |
| 2021-02-18 16:30:23 | ced | set | assignedto: ced messages: + msg64690 status: chatting -> in-progress |
| 2021-02-04 19:08:38 | ced | set | messages: + msg64311 |
Showing 10 items. Show all history (warning: this could be VERY long)