Zeronet: Ui.UiServer Error 403: Invalid origin

Created on 22 Aug 2019  路  8Comments  路  Source: HelloZeroNet/ZeroNet

Origins other than localhost:43110 break the latest version of zeronet. Constant popups in the topright corner that says it disconnects/reconnects over and over. namely for http://domainname.bit and http://zero/address style urls. I'm using a .pac to redirect the urls which you can find here: http://127.0.0.1:43110/kaffie.bit/zeronet.pac

[23:40:34] Ui.UiServer Added 127.0.0.1:43110 as allowed host
[23:40:34] Ui.UiServer Error 403: Invalid origin: http://talk.zeronetwork.bit
[23:40:34] Ui.UiServer Error 403: Invalid origin: http://zero
[23:40:34] Ui.UiServer Error 403: Invalid origin: http://zero

Version: 0.7.0 r4188 w/ Python 3.7.3

bug
Source
picture April93

All 8 comments

This is the commit that caused it to break:

https://github.com/HelloZeroNet/ZeroNet/commit/b871849df45cc5da9eff0ca780c0c8afe0e8a0cd#diff-7fa31802ec08bb55f5128c3e841b5f34

There doesn't appear to be a way to add regex for accepted hosts (namely http://zero/ and http://.*\.bit but also http://.*\.zeroid)

April93 picture April93 on 22 Aug 2019

@HelloZeroNet You do remember I proposed a better solution, don't you?

Sure, people are sometimes dumb, but I gave you a fix that worked better than this workaround. And now we're learning that the workaround led to even more problems than expected.

Please, can people please start listening to me?

imachug picture imachug on 22 Aug 2019
1

I must have forgotten. This is a recent bug. The problem is that it's catching anything that isn't an IP address in the URL bar and throwing an error. Meaning any solution would break. What do you suggest as an alternative?

April93 picture April93 on 22 Aug 2019

@April93 Please check your ZeroMail.

imachug picture imachug on 22 Aug 2019

@HelloZeroNet You _do_ remember I proposed a better solution, don't you?

I will also apply that fix, but checking the origin for ws is also improves security.

HelloZeroNet picture HelloZeroNet on 22 Aug 2019

I don't think it helps. It stops working well once you find a way to create an iframe (escaping to the wrapper is not required). I don't have a PoC right now, but I think that data: protocol will work here.

imachug picture imachug on 22 Aug 2019

This should be fixed by https://github.com/HelloZeroNet/ZeroNet/commit/e16611f15ab06216c07baa5e0ebf3214e3ae6b07

HelloZeroNet picture HelloZeroNet on 23 Aug 2019
👍1

Finally, lol.

imachug picture imachug on 23 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jeff-hykin picture jeff-hykin  路  40Comments
HelloZeroNet picture HelloZeroNet  路  41Comments
krixano picture krixano  路  59Comments
0polar picture 0polar  路  57Comments
HelloZeroNet picture HelloZeroNet  路  42Comments