[ 
https://issues.apache.org/jira/browse/NIFI-16059?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Matt Gilman updated NIFI-16059:
-------------------------------
    Status: Patch Available  (was: In Progress)

> Connector custom UI: validate postMessage origin against the application 
> origin instead of the connector's configuration URL
> ----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-16059
>                 URL: https://issues.apache.org/jira/browse/NIFI-16059
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core UI
>            Reporter: Matt Gilman
>            Assignee: Matt Gilman
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The connector custom UI host (ConnectorMessageHost) validates the origin of
> inbound postMessage events from a connector's embedded custom UI. The origin 
> it trusts is derived from the connector entity's configurationUrl / 
> detailsUrl --
> the same per-connector field that is used to set the custom UI iframe's src.
> Because the content loaded into the iframe and the origin used to validate
> messages coming back from it are taken from the same per-connector value, the
> inbound origin check does not represent an independent trust decision. 
> Whatever
> controls that field controls both the loaded UI and the origin string used to
> validate messages from it, so the validation is effectively self-referential
> (an Origin Validation Error, CWE-346).
> Connector custom UIs are served by the NiFi web server itself: the
> configuration/details URLs are generated server-side in ConnectorResource from
> the incoming request URI, so the custom UI is same-origin with the 
> application.
> The origin that should be trusted for these messages is therefore a property 
> of
> the application, not of an individual connector entity, and the current 
> coupling
> between the iframe source and the message-trust origin is unnecessary.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to