Matt Gilman created NIFI-16059:
----------------------------------

             Summary: Connector custom UI: validate postMessage origin against 
the application origin instead of the connector's configuration URL
                 Key: NIFI-16059
                 URL: https://issues.apache.org/jira/browse/NIFI-16059
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Core UI
            Reporter: Matt Gilman
            Assignee: Matt Gilman


The connector custom UI host (ConnectorMessageHost) validates the origin of
inbound postMessage events from a connector's embedded custom UI. The origin it 
trusts is derived from the connector entity's configurationUrl / detailsUrl --
the same per-connector field that is used to set the custom UI iframe's src.

Because the content loaded into the iframe and the origin used to validate
messages coming back from it are taken from the same per-connector value, the
inbound origin check does not represent an independent trust decision. Whatever
controls that field controls both the loaded UI and the origin string used to
validate messages from it, so the validation is effectively self-referential
(an Origin Validation Error, CWE-346).

Connector custom UIs are served by the NiFi web server itself: the
configuration/details URLs are generated server-side in ConnectorResource from
the incoming request URI, so the custom UI is same-origin with the application.
The origin that should be trusted for these messages is therefore a property of
the application, not of an individual connector entity, and the current coupling
between the iframe source and the message-trust origin is unnecessary.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to