[
https://issues.apache.org/jira/browse/NIFI-16059?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matt Gilman updated NIFI-16059:
-------------------------------
Status: Patch Available (was: In Progress)
> Connector custom UI: validate postMessage origin against the application
> origin instead of the connector's configuration URL
> ----------------------------------------------------------------------------------------------------------------------------
>
> Key: NIFI-16059
> URL: https://issues.apache.org/jira/browse/NIFI-16059
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core UI
> Reporter: Matt Gilman
> Assignee: Matt Gilman
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The connector custom UI host (ConnectorMessageHost) validates the origin of
> inbound postMessage events from a connector's embedded custom UI. The origin
> it trusts is derived from the connector entity's configurationUrl /
> detailsUrl --
> the same per-connector field that is used to set the custom UI iframe's src.
> Because the content loaded into the iframe and the origin used to validate
> messages coming back from it are taken from the same per-connector value, the
> inbound origin check does not represent an independent trust decision.
> Whatever
> controls that field controls both the loaded UI and the origin string used to
> validate messages from it, so the validation is effectively self-referential
> (an Origin Validation Error, CWE-346).
> Connector custom UIs are served by the NiFi web server itself: the
> configuration/details URLs are generated server-side in ConnectorResource from
> the incoming request URI, so the custom UI is same-origin with the
> application.
> The origin that should be trusted for these messages is therefore a property
> of
> the application, not of an individual connector entity, and the current
> coupling
> between the iframe source and the message-trust origin is unnecessary.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)