cockpit: Reconfigure to allow any origin (!2256) · Merge requests · FreedomBox / FreedomBox

Sunil Mohan Adapa requested to merge sunilmohan/freedombox:cockpit-origins-cleanup into master Jul 06, 2022

When Cockpit is not configured any origins, it uses the host and protocol of the incoming request to set the allowed origin for WebSocket connections. By ensuring that the original host/protocol is passed on to Cockpit from the browser, we can eliminate the need for configuring a pre-determined list of origins. Passing the host and protocol from the browser is done by setting ProxyPreserveHost and using https:// for proxying.

For a cross-site request, Origin: and Host: entries won't match and '403 Forbidden' is thrown. So, this approach is still safe.

Tests:

Without the patch, access Cockpit using IP address and it fails. Apply the patch. Cockpit setup should run. Origins= directive in the configuration file /etc/cockpit/cockpit.conf should get removed. Accessing with IP address and logging in succeeds.
Freshly setup a container with the patch and access Cockpit using IP address. This works and login succeeds.
Test on stable and testing containers.

Signed-off-by: Sunil Mohan Adapa sunil@medhas.org

cockpit: Reconfigure to allow any origin

Merge request reports