lib/api: Fix /rest/config path and add methods to cors (ref #7001) #7081
Conversation
|
That whitelist applies only to cross-origin requests AFAIK. Regular GUI usage is not affected by that, since the script making the requests comes from the same origin as the request target URL. As far as I understand, the browser takes care of disallowing requests from other script origins. So curl not doing it would be expected, since the "origin" is the user's command line. Does that make sense? I'm no expert on CORS, and don't quite see what security is gained by the headers Syncthing sends... |
|
Afaik this does not improve security, it on the contrary allows requests from non-GUI origins that would otherwise be blocked by the browser. For example, some Javascript running somewhere using the API key to do things. |
I meant I don't see what security gain the CORS check brings for Syncthing. As it effectively poses no restrictions, even more so with this change. Having the API open for all script origins is okay, I just wasn't sure if this function in Syncthing was actually meant to increase security somehow. |
* main: lib/folder: Clear pull errors when nothing is needed anymore (syncthing#7093) lib/api: Fix debug endpoints (ref syncthing#7001) (syncthing#7092) gui, man, authors: Update docs, translations, and contributors lib/config: Sanity checks on MaxConcurrentWrites (ref syncthing#7064) (syncthing#7069) lib/ur: Fix panics in failure-reporting (fixes syncthing#7090) (syncthing#7091) lib/ur: Fix panics in failure-reporting (fixes syncthing#7090) (syncthing#7091) build: Update dependencies (syncthing#7088) lib: Remove USE_BADGER experiment (syncthing#7089) build: Update notify (fixes syncthing#7063) (syncthing#7080) lib/api: Fix /rest/config path and add methods to cors (ref syncthing#7001) (syncthing#7081) lib/api: Allow OPTIONS method in CORS preflight request handling (ref syncthing#7017) (syncthing#7079) gui: Fix another undefined variable access (fixes syncthing#7077) (syncthing#7078) lib/config: Check for "msdos" when detecting FAT FS in Android (syncthing#7072) gui, man, authors: Update docs, translations, and contributors
Just noticed through #7079 that there's a method whitelist and thus added the new methods used in the
/rest/configendpoints. And this also fixes an issue with/rest/configthe only endpoint added in #7001 that I didn't add a test for. Weirdly enough adding the test wouldn't have helped: It doesn't fail (neither does the UI, which uses it too), while it does fail using curl. Anyway, works with curl too now.