You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/10/01 00:40:00 UTC

[jira] [Commented] (NIFI-9241) Review CORS Security Configuration

    [ https://issues.apache.org/jira/browse/NIFI-9241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17423058#comment-17423058 ] 

ASF subversion and git services commented on NIFI-9241:
-------------------------------------------------------

Commit e16a6c2b89879034be65cca56b33724914b54033 in nifi's branch refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=e16a6c2 ]

NIFI-9241 Refactored CSRF mitigation using random Request-Token

- Replaced use of Authorization header with custom Request-Token header for CSRF mitigation
- Added Request-Token cookie for CSRF mitigation
- Replaced session storage of JWT with expiration in seconds
- Removed and disabled CORS configuration
- Disabled HTTP OPTIONS method
- Refactored HTTP Proxy URI construction using RequestUriBuilder

Signed-off-by: Nathan Gough <th...@gmail.com>

This closes #5417.


> Review CORS Security Configuration
> ----------------------------------
>
>                 Key: NIFI-9241
>                 URL: https://issues.apache.org/jira/browse/NIFI-9241
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core UI, Security
>    Affects Versions: 1.8.0, 1.14.0
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> The NiFi Web Security Configuration includes a custom CORS Configuration Source that disallows HTTP POST requests for Template Uploads. The works as expected with direct access to the NiFi UI, but causes issues when attempting to upload a template to NiFi through a reverse proxy.
> When a web browser sends a template upload request that includes an unexpected {{Origin}} header, the Spring CORS Filter returns HTTP 403 Forbidden with a response body containing the message {{Invalid CORS Request}}.  NIFI-6080 describes a workaround that involves setting a different {{Origin}} header.  The current approach as implemented in NIFI-5595 should be evaluated for potential improvements to avoid this behavior when running NiFi with a reverse proxy.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)