New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Iframe buster not implemented in reports #10185
Comments
Iframe buster related bug: #10147 |
I will mark it as a bug similar to #10147 . First I checked all the emails but then I got that it's actually in the UI. While the token auth will be hidden when right click and copying it, the token auth will be still in the URL when actually clicking on it and there will be a risk for sending the link with token again. At some point we could actually build an export feature for links within the UI that never shows the token auth. |
Opening such reports without token_auth does not work atm, because it is an API request. API requests can currently only be authenticated using the token_auth. |
We could already log in a user by using session in the API but sessions and API are rather a no no. We could store the token auth in the cookie but this would bring some more attack vectors like XSS get more relevant etc if we stored the token auth in plain text in a cookie. What I was thinking would have been simply a controller/action that basically calls the API with all the given parameters. We would only need to adjust the export logic in |
fyi Our API used to work in this way (cookie auth fallback to token_auth auth) but it was actually confusing and was changed to pure token auth.
This could work. Also alternatively maybe we could |
That doesn't work with right click etc |
Ok then +1 to proxy such requests through a controller while the user is logged in the UI. this should work well 👍 |
I guess adding a api proxy method, as @tsteur mentioned, would be the
simplest solution
|
May have closed this mistake |
I think this changed anyway with Matomo 4, so if anyone still has this issue, please create a new issue (and maybe mention this one) |
According to #2701 all export links should be stripped out of auth_token. This isn't a case for link allowing to download file with email report content:
Users concern is that end-user may copy that link and send to someone. Then the token will be exposed.
The text was updated successfully, but these errors were encountered: