CORS Headers for browser based Json RPC interaction #1487

pull ghost wants to merge 1 commits into bitcoin:master from changing 1 files +41 −31

ghost commented at 1:00 PM on June 20, 2012: none

Added Headers to HTTPReply()

Access-Control-Allow-Origin: Access-Control-Allow-Headers:

Specify the origin with new command line option -rpcorigin defaults to localhost only.

These headers are needed for make RPC requests from a browser. More info: https://developer.mozilla.org/en/http_access_control

Use cases are apps such as https://chrome.google.com/webstore/detail/ablfbfgmgfoggdhhcnledndibdihggpb and a feature I would like to implement for https://blockchain.info/wallet/
Added -rpcorigin option for CORS RPC requests c71216838b
gmaxwell commented at 1:05 PM on June 20, 2012: contributor

I don't believe we want to deal with the potential of CSRF issues in the JSON API, not to mention that exposing the RPC port to the internet is currently a reliable way to get yourself robbed. (And I assume it would be almost as bad with the users browser acting as a proxy)
ghost commented at 1:14 PM on June 20, 2012: none

The RPC port doesn't need to be exposed to the internet. There are a number of ways to circumvent the same origin policy this just makes it easier for those with legitimate uses.
jgarzik commented at 1:50 PM on June 20, 2012: contributor

Yeah, I think these sort of things are more appropriate via a proxy
tcatm commented at 4:46 PM on June 20, 2012: none

FYI this has been discussed at #23 and https://bitcointalk.org/index.php?topic=2672.0 before.
ghost commented at 4:50 PM on June 20, 2012: none

Apologies, feel free to close the request.
unknown closed this on Jun 20, 2012
lateminer referenced this in commit 44307cc45d on Jan 22, 2019
lateminer referenced this in commit ac7a5b302f on May 6, 2020
DrahtBot locked this on Sep 8, 2021

Contributors

Linked (view graph)

#25824 UndefinedBehaviorSanitizer: stack-overflow in miniscript (descriptor_parse)