Skip to content

GitLab

Switch branch/tag
  1. 01 Dec, 2020 1 commit
  3. 20 Apr, 2020 1 commit
  5. 05 Apr, 2020 1 commit
    • Hector Sanjuan's avatar
      HTTP API: Disallow GET requests on API · 1b490476
      Hector Sanjuan authored 
      This commit upgrades go-ipfs-cmds and configures the commands HTTP API Handler
to only allow POST/OPTIONS, disallowing GET and others in the handling of
command requests in the IPFS HTTP API (where before every type of request
method was handled, with GET/POST/PUT/PATCH being equivalent).

The Read-Only commands that the HTTP API attaches to the gateway endpoint will
additional handled GET as they did before (but stop handling PUT,DELETEs).

By limiting the request types we address the possibility that a website
accessed by a browser abuses the IPFS API by issuing GET requests to it which
have no Origin or Referrer set, and are thus bypass CORS and CSRF protections.

This is a breaking change for clients that relay on GET requests against the
HTTP endpoint (usually :5001). Applications integrating on top of the
gateway-read-only API should still work (including cross-domain access).
Co-Authored-By: default avatarSteven Allen <steven@stebalien.com>
Co-Authored-By: default avatarMarcin Rataj <lidel@lidel.org>
      1b490476
  7. 14 May, 2019 1 commit
  9. 13 May, 2019 1 commit
  11. 21 Apr, 2019 1 commit
  13. 06 Apr, 2019 1 commit
  15. 17 Jan, 2019 5 commits
  17. 13 Sep, 2018 1 commit
  19. 19 Jun, 2018 1 commit
  21. 10 Apr, 2018 1 commit
  23. 07 Dec, 2017 1 commit
  25. 06 Dec, 2017 1 commit
  27. 21 Nov, 2017 1 commit
  29. 04 Oct, 2017 2 commits
  31. 31 Jul, 2017 1 commit
  33. 17 May, 2016 2 commits
  35. 13 Apr, 2016 1 commit
  37. 31 Mar, 2016 1 commit
  39. 12 Jan, 2016 2 commits
  41. 29 Nov, 2015 1 commit
  43. 03 Nov, 2015 1 commit
  45. 09 Oct, 2015 1 commit
  47. 03 Oct, 2015 1 commit
  49. 24 Aug, 2015 1 commit
  51. 28 Jul, 2015 4 commits
  53. 14 Jul, 2015 2 commits
  55. 20 Jun, 2015 1 commit
  57. 09 Jun, 2015 1 commit