You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@fineract.apache.org by "Francis Guchie (Jira)" <ji...@apache.org> on 2021/10/03 14:46:00 UTC
[jira] [Commented] (FINERACT-879) Refine overly permissive
Cross-Origin Resource Sharing (CORS) policy
[ https://issues.apache.org/jira/browse/FINERACT-879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17423670#comment-17423670 ]
Francis Guchie commented on FINERACT-879:
-----------------------------------------
Thanks to [~vorburger] for this issue
I have done some checks here and there and found out that, for users using tomcat they can allow specific domains to access data by adding a CorsFilter as explained here [https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter.] This can be done globally by adding the filter in the tomcat/conf/web.xml file or ~\tomcat\webapps\fineract-provider\WEB-INF\web.xml file. However when you read inside the file ~\tomcat\webapps\fineract-provider\WEB-INF\web.xml file, you will discover that
=========================================================================
web.xml is no longer used since the switch to Spring Boot.
org.apache.fineract.infrastructure.core.boot.war.WebApplicationInitializerConfiguration
and
org.apache.fineract.infrastructure.core.boot.WebXmlConfiguration
take its place now.
=========================================================================
This means that users can not allow CORS it has to be done in fineract in a way where users can add the filters or enable it somewhere.
There are a number of users of apache fineract as can be seen here [https://github.com/apache/fineract#readme]
> Refine overly permissive Cross-Origin Resource Sharing (CORS) policy
> --------------------------------------------------------------------
>
> Key: FINERACT-879
> URL: https://issues.apache.org/jira/browse/FINERACT-879
> Project: Apache Fineract
> Issue Type: Bug
> Components: Security
> Reporter: Michael Vorburger
> Assignee: Rahul Pawar
> Priority: Critical
> Labels: technical
>
> FINERACT-853 has identified the following which we should probably do something about:
> Security Warnings
> Code Warning
> SECCORS The program defines an overly permissive Cross-Origin Resource Sharing (CORS) policy
>
> Details
> PERMISSIVE_CORS: Overly permissive CORS policy
> Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, cull through it, and communicate it back to the attacker. HTML5 makes it possible for JavaScript to access data across domains if a new HTTP header called Access-Control-Allow-Origin is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.
> Vulnerable Code:
> {{response.addHeader("Access-Control-Allow-Origin", "*");}}
> Solution:
> Avoid using * as the value of the Access-Control-Allow-Origin header, which indicates that the application's data is accessible to JavaScript running on any domain.
> References
> [W3C Cross-Origin Resource Sharing|https://www.w3.org/TR/cors/]
> [Enable Cross-Origin Resource Sharing|http://enable-cors.org/]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)