Zeronet: CORS errors on browsers that trim HTTP referer value

Created on 21 Mar 2019  路  7Comments  路  Source: HelloZeroNet/ZeroNet

Environment

  • ZeroNet version: 0.6.5
  • Operating system: Linux
  • Web browser: Firefox/Tor Browser
  • Tor status: available
  • Opened port: no

Description

Recently browsers like Firefox (and since forever the Tor Browser) have been trimming everything except the host from their HTTP referer fields, meaning a referer such as:

http://127.0.0.1:43110/mysite.bit/?/&wrapper_nonce=473ca0c6827a489696f5bc40b29d1ea3ce148d793754e049eed82e1349087052

becomes:

http://127.0.0.1:43110/

While this is a win for privacy in general, it causes some issues with ZeroNet, which uses the HTTP referer to determine whether a site can make a CORS to itself:

https://github.com/HelloZeroNet/ZeroNet/blob/7bff5f562c42a4a5f73e104c0f767c1413064aa6/src/Ui/UiRequest.py#L222-L223

https://github.com/HelloZeroNet/ZeroNet/blob/7bff5f562c42a4a5f73e104c0f767c1413064aa6/src/Ui/UiRequest.py#L431-L436

The regex code will in fact return False when the referer is http://127.0.0.1:43110/, as we can't easily determine from which ZeroNet site the request came from (and thus can't be sure that this isn't another site trying request site files from us).

So, we need some way to correctly authenticate a CORS request from browsers who trim their HTTP referer headers.

For the record this is currently the cause of some sites having their icon fonts broken in certain browsers.

bug
Source
picture anoadragon453
👍3

All 7 comments

Because of this, many sites cannot be shown correctly.

tangdou1 picture tangdou1 on 26 Mar 2019

Relevant update in firefox:
https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/

Now, the referer can not be used in zeronet for cors.

tangdou1 picture tangdou1 on 26 Mar 2019
👍1

Thanks for reporting I was able to reproduce in FF private mode and added a modification that allows the origin-only referrer: https://github.com/HelloZeroNet/ZeroNet/commit/350adeb52d54830422e3413e4bc1119691ed4b99

HelloZeroNet picture HelloZeroNet on 27 Mar 2019

Can confirm the fix works :tada:

anoadragon453 picture anoadragon453 on 27 Mar 2019

I'm getting another CORS issue in chrome and tor browser... not sure if this is related, but it shows that origin in 'null' in the error message:

image

And here's the headers:
image

Here's the zite: http://127.0.0.1:43110/12xozBV7dYskrNQ2G5srnzsTgStaX6Coph/
(note, it uses PeerMessage for multiplayer - but single-player doesn't need that plugin)

Edit: Ok, nvm. I needed to get the ajax key from "wrapperGetAjaxKey" ZeroFrame command, then add "?ajax_key=" to the end of the URL when I do "new Image()" in javascript.

krixano picture krixano on 11 Oct 2019

I just tested a zite in Firefix private mode... the bug is now there again even though it was fixed previously.

krixano picture krixano on 28 Oct 2019

Thanks for reporting this should be fixed by https://github.com/HelloZeroNet/ZeroNet/commit/270f3e9ffdf45ac402aee5d8e714290af209402a in Rev4250

HelloZeroNet picture HelloZeroNet on 28 Oct 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jeff-hykin picture jeff-hykin  路  40Comments
BenMcLean picture BenMcLean  路  39Comments
ghost picture ghost  路  54Comments
krixano picture krixano  路  59Comments
HelloZeroNet picture HelloZeroNet  路  42Comments