* fix: add companion ids to allow origins
- fixes#8689
- Adds the chrome-extension ids for ipfs-companion and
ipfs-companion-beta to the allowed origins list, this
allows us to accesss ipfs api from a manifest v3 extension.
- added tests in t0401-api-browser-security.sh
* fix: companion when custom CORS *-Origin is set
Companion extension should be able to access RPC API even when custom
Access-Control-Allow-Origin is set
Co-authored-by: Marcin Rataj <lidel@lidel.org>
This adds localhost ipv6 addresses to the allowlist for use in browser
context and fixes WebUI on ipv6-only deployments: http://[::1]:5001/webui
We were missing CORS/Origin tests for API port so I've added basic ones
and included localhost/127.0.0.1/::1 variants.
This commit upgrades go-ipfs-cmds and configures the commands HTTP API Handler
to only allow POST/OPTIONS, disallowing GET and others in the handling of
command requests in the IPFS HTTP API (where before every type of request
method was handled, with GET/POST/PUT/PATCH being equivalent).
The Read-Only commands that the HTTP API attaches to the gateway endpoint will
additional handled GET as they did before (but stop handling PUT,DELETEs).
By limiting the request types we address the possibility that a website
accessed by a browser abuses the IPFS API by issuing GET requests to it which
have no Origin or Referrer set, and are thus bypass CORS and CSRF protections.
This is a breaking change for clients that relay on GET requests against the
HTTP endpoint (usually :5001). Applications integrating on top of the
gateway-read-only API should still work (including cross-domain access).
Co-Authored-By: Steven Allen <steven@stebalien.com>
Co-Authored-By: Marcin Rataj <lidel@lidel.org>
* Updates go-ipfs-cmds to try to get the tests to pass on travis.
* While we're at it, fix duplicate gx deps.
License: MIT
Signed-off-by: Steven Allen <steven@stebalien.com>
Switch _back_ to the 0.4.18 style of peer IDs while we figure things out. See
https://github.com/libp2p/specs/issues/138.
License: MIT
Signed-off-by: Steven Allen <steven@stebalien.com>
Turns out that `pool.Put(buf)` had to *allocate* because we needed to turn
`[]byte` into `interface{}`. Apparently, we've never done this correctly we just
never noticed because we never really used buffer pools extensively.
However, since migrating yamux to a buffer-pool backed buffer, this started
showing up in allocation profiles.
License: MIT
Signed-off-by: Steven Allen <steven@stebalien.com>
* go-datastore and friends: GetSize
* badger: new release, fewer allocations
* go-mplex: send fewer packets
* go-bitswap: pack multiple blocks in a single message, fewer allocations
* go-buffer-pool: replace the buffer pool from go-msgio
* yamux: fixed data race and uses go-buffer-pool for stream read-buffers to
reduce memory and allocations.
* go-libp2p-secio: get rid of a hot-spot allocation
* go-libp2p-peerstore: reduced allocations (at the cost of some memory)
More?
License: MIT
Signed-off-by: Steven Allen <steven@stebalien.com>
