Skip to content

Solve CNAME Javascript interactions w/ the API #1504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ericholscher opened this issue Jul 30, 2015 · 3 comments
Closed

Solve CNAME Javascript interactions w/ the API #1504

ericholscher opened this issue Jul 30, 2015 · 3 comments
Labels
Improvement Minor improvement to code Needed: more information A reply from issue author is required

Comments

@ericholscher
Copy link
Member

ericholscher commented Jul 30, 2015
edited
Loading

Description

Currently we don't really support any kind of writing via the API from CNAME'd websites. This is mainly because of the cross domain requirements inside the browser. We've done some basic work w/ CORS to look into supporting this, but there are some security implications we need to think through before we turn on any kind of real access.

Proposed Solution

We now have Domain objects that are associated with each project. This means that when we get a request from a specific domain, we can map against the Domain object, and return the proper CORS headers for their domains. This should allow CNAME's to be able to have proper CORS requests against our API.

Implementation

We will build middleware that intercepts OPTIONS and GET requests to custom Domains, then does a lookup on the Domain object, and gives proper access. We will likely need to do some kind of mapping from the Domain coming in to verify that the requested URL's belong to the project associated with the domain.

We will also limit this functionality to a whitelist of API calls that we expect from documentation pages. The main thing we need to protect against is full API access for custom Domains against the RTD API. Currently I believe we only need to whitelist /api/v2/search/ and /api/v2/footer/.

Testing

When this work is done:

  • API Search should work on CNAME's -- we will verify with a CNAME that the API-based RTD search works properly
  • Footer rendering works properly with authed user information
  • Confirm that http://docs.citusdata.com/ search works as an example use case.

References

Sponsorship

This work is being sponsored by Citus Data
@agjohnson agjohnson added the Improvement Minor improvement to code label Aug 12, 2015
@begriffs begriffs mentioned this issue Jun 8, 2016
Closed
@begriffs
Copy link

begriffs commented Jun 9, 2016

Is it feasible to override the Access-Control-Allow-Origin response header for specific routes? I can see how in general you'd like to protect API endpoints against abuse but perhaps certain ones are safe for access from other domains.

For instance the search endpoint. Not having access to the search API from Javascript degrades the search results on our docs page when accessed via CNAME. Could you allow access to https://readthedocs.org/api/v2/search/?

/cc @agjohnson

@agjohnson
Copy link
Contributor

The underlying issue was solved. What did we do to resolve this? Is this still a valid issue?

@stsewd stsewd added the Needed: more information A reply from issue author is required label Oct 26, 2018
@stsewd
Copy link
Member

stsewd commented Jan 8, 2019

We (actually Eric p:) solved this in #2341. Please re-open if I'm wrong and/or something else needs to be done.

@stsewd stsewd closed this as completed Jan 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Improvement Minor improvement to code Needed: more information A reply from issue author is required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ericholscher @begriffs @agjohnson @stsewd