Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]fix prefilght cors OPTIONS request record in the action visits #19030

Merged
merged 17 commits into from Apr 11, 2022
Merged

[Bug]fix prefilght cors OPTIONS request record in the action visits #19030

merged 17 commits into from Apr 11, 2022

Conversation

peterhashair
Copy link
Contributor

@peterhashair peterhashair commented Mar 30, 2022
edited

Description:

Fixes: #18812

Extend requests with headers and method do not record preflight cors in the database.

To reproduce the issue one needs to trigger prefight cors, eg add a request header more details can be found here

       headers:{'X-PINGOTHER':'pingpong'}

Review

extend request with options and method
5859a94 
when options header and method is options do not record in the database.
@peterhashair peterhashair changed the title [Bug]extend request with options and method fix prefilght cors record in the database [Bug]fix prefilght cors OPTIONS request record in the action visits Mar 31, 2022
Peter added 2 commits March 31, 2022 13:23
update function
7a1158b 
update function
update tests
b440e59 
update tests
update tests
19eab3f 
adjust code only trigger on option request
@peterhashair peterhashair added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Mar 31, 2022
@peterhashair peterhashair added this to the 4.9.0 milestone Mar 31, 2022
sgiehl
sgiehl requested changes Mar 31, 2022
View reviewed changes
core/Tracker/Request.php Outdated Show resolved Hide resolved
remove class variable
cb4e368 
remove server
@peterhashair peterhashair added the Needs Review PRs that need a code review label Mar 31, 2022
sgiehl
sgiehl reviewed Apr 1, 2022
View reviewed changes
core/Tracker/Request.php Outdated Show resolved Hide resolved
Update Request.php
6c90449 
add check request method
sgiehl
sgiehl reviewed Apr 4, 2022
View reviewed changes
core/Tracker/Action.php Outdated Show resolved Hide resolved
@justinvelluppillai justinvelluppillai modified the milestones: 4.9.0, 4.10.0 Apr 4, 2022
@sgiehl
Copy link
Member

sgiehl commented Apr 5, 2022

I'm not really deep into such CORS stuff, but I was wondering if we shouldn't send a proper answer to a CORS request.
According to https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request it seems the correct answer would a 204 with some additional headers containing the allowed methods.
@peterhashair did you test what happens if we send a normal answer to the preflight request? Is the tracking request still sent in that case?

@peterhashair
Copy link
Contributor Author

@sgiehl right that makes sense, will update that.

@peterhashair
Copy link
Contributor Author

@sgiehl I am trying to figure out how to do a response as 204, but I notice there is a set of requests, not just one, if I respond 204 in the foreach, will that affect another request?

1 similar comment
@peterhashair

This comment was marked as duplicate.

Sign in to view
@sgiehl
Copy link
Member

sgiehl commented Apr 7, 2022

@peterhashair You may need to handle that at an earlier stage. As it's not relevant if the preflight request might contain one or more tracking requests, you should do that before the request is actually parsed. Guess here it might suite:

matomo/core/Tracker.php

Lines 130 to 136 in 078909e

public function track(Handler $handler, RequestSet $requestSet)
{
if (!$this->shouldRecordStatistics()) {
return;
}
$requestSet->initRequestsAndTokenAuth();

Peter added 2 commits April 8, 2022 12:12
return 204 on prefight
1e723f9 
return 204 on prefight
Update Tracker.php
fabac0a 
accept cors
@peterhashair
Copy link
Contributor Author

@sgiehl it seems like the prefight works, just wondering should I use the site url store in the data for the Access-Control-Allow-Origin, otherwise there will be security issue I guess.

             header('Access-Control-Allow-Methods: GET, POST');
               header('Access-Control-Allow-Headers: *');
               header('Access-Control-Allow-Origin: *');
               Common::sendResponseCode(204);

sgiehl
sgiehl requested changes Apr 11, 2022
View reviewed changes
Copy link
Member

@sgiehl sgiehl left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sgiehl it seems like the prefight works, just wondering should I use the site url store in the data for the Access-Control-Allow-Origin, otherwise there will be security issue I guess.

Actually I guess the * might be fine. We can't really know where a tracking request might come from. Using all configured sites might also not be correct, as people could also track unconfigured site urls.

core/Tracker.php Outdated Show resolved Hide resolved
sgiehl
sgiehl reviewed Apr 11, 2022
View reviewed changes
core/Tracker/RequestSet.php Outdated Show resolved Hide resolved
@sgiehl
Copy link
Member

sgiehl commented Apr 11, 2022

I've now applied a couple of fixes and added a simple test to get this ready to merge...

@sgiehl sgiehl merged commit 8a8b512 into 4.x-dev Apr 11, 2022
@sgiehl sgiehl deleted the m-18812 branch April 11, 2022 13:10
@peterhashair peterhashair mentioned this pull request Apr 19, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justinvelluppillai justinvelluppillai justinvelluppillai left review comments

@sgiehl sgiehl sgiehl requested changes

Assignees
No one assigned
Labels
Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
4.10.0
Development

Successfully merging this pull request may close these issues.

options request will also be recorded
3 participants
@peterhashair @sgiehl @justinvelluppillai