Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update CORS, add AMP-Same-Origin when Origin is missing on same origin requests #4879

Merged
merged 8 commits into from
Sep 13, 2016

Conversation

mkhatib
Copy link
Contributor

@mkhatib mkhatib commented Sep 9, 2016

ITI: #3343


<h4>Subscribe to our weekly Newsletter (POST xhr same origin)</h4>
<form method="post"
action="/form/html/post"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FMI: Why both action and action-xhr?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We always require action as a fallback in case amp-form extension failed to load for any reason the form would still be submittable.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. Unfortunately we don't have a security story in that case, right? Maybe only allow fallback for same origin?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have document-submit that gets bundled part of amp runtime. It also handles the cases where amp-form might fail. For example, the POST + non-XHR case is prevented by document-submit. GET requests are ok to fallback as long as we clearly communicate they shouldn't be used for state changing requests.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For POST this is very misleading. We should just remove action. We need to find a way to block un-upgraded submission in our submit handler so it doesn't post to itself (although this is probably already happening).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For POST this is very misleading. We should just remove action

I am assuming this is just for the examples? sgtm

We need to find a way to block un-upgraded submission in our submit handler so it doesn't post to itself

document-submit does assert action is provided, https and not on cdn for GET. We do stop un-upgraded POST submissions in this PR.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Examples and validator.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@cramforce
Copy link
Member

Please document the submission rules in the amp-form docs.

@mkhatib
Copy link
Contributor Author

mkhatib commented Sep 9, 2016

Done. PTAL 👀

You can also provide an action-xhr attribute, if provided, the form will be submitted in an XHR fashion.

This attribute can be the same or a different endpoint than `action` and has the same action requirements above.

**Important**: Your XHR endpoints need to follow and implement [CORS Requests in AMP spec](https://github.com/ampproject/amphtml/blob/master/spec/amp-cors-requests.md).

**Important**: See [Protecting against XSRF attacks](
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Broken link.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@molnarg
Copy link

molnarg commented Sep 9, 2016

It's worth mentioning that target=_blank won't work with XHR.

Your XHR endpoints need to follow and implement [CORS Requests in AMP spec](https://github.com/ampproject/amphtml/blob/master/spec/amp-cors-requests.md).

### Protecting against XSRF
In addition to following AMP CORS spec, please pay extra attention to [non-idempotent requests note]()
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: dot at the end of the sentence.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, missing link.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think idempotence is the wrong concept here. Maybe just "mutating" or "state changing"

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, "state changing" would be better and simpler.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@mkhatib
Copy link
Contributor Author

mkhatib commented Sep 9, 2016

Done. 👀 PTAL

message: '__amp_source_origin parameter is invalid.'
}));
return;
if (req.headers['amp-same-origin'] != 'true') {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good time to move this test in a separate function. E.g. checkAmpCors or such.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In light of the discussion below, we should reverse the checks and process Origin header first.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's discuss this in the other thread, I think there's no change needed here.

@mkhatib
Copy link
Contributor Author

mkhatib commented Sep 11, 2016

PTAL 👀

@molnarg
Copy link

molnarg commented Sep 13, 2016

LGTM

const init = {method: 'post', body: {}};
location.href = '/path';
xhr.fetchJson('/whatever', init);
expect(init['headers']['AMP-Same-Origin']).to.equal('true');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add a test to ensure it uses actual origins and NOT source origins.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@dvoytenko
Copy link
Contributor

LGTM with one more test requested. Please add the test and merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants