Skip to content

security: enable public access of our GraphQL/Search/etc APIs from any domain/origin

Warren Gifford requested to merge sg/public-api into main

Created by: slimsag

This PR enables public access of Sourcegraph APIs from any domain / origin securely, and without enabling CSRF attacks against Sourcegraph. This works for all Sourcegraph instances (Sourcegraph.com, on-prem, etc.) Here's how:

  • Requests to our API may now be made from any domain/origin (jsfiddle.net, attacker.com, friendly.com, trusted.com, etc.) which would've previously been blocked by our CORS policies unless it was a trusted domain (e.g. in corsOrigin allow list)
  • Through our CORS policies, browsers are permitted to include authorization (session cookies, access tokens, etc.) in all requests to our API in order to authenticate with Sourcegraph, even if the request came from an untrusted origin.
  • Iff the request came from an untrusted origin (e.g. not in the corsOrigin allow list), then session-based authentication (cookies) sent with the request are NOT respected even if present: the request will be treated as unauthenticated. This is what protects our API from CSRF attacks while still allowing public usage both anonymously and with e.g. access tokens.
  • All requests still go through our regular authorization mechanisms, e.g. most on-prem customers do not have anonymous access enabled in their site configuration and so for them the only way to use their Sourcegraph instance API from an untrusted domain would be to supply an access token.

See also the diagrams added in https://github.com/sourcegraph/sourcegraph/pull/27937 which cover this. I suggest reviewing the commits in this PR individually, the first one makes the simple code change and all subsequent ones just add detailed explanations for why this is secure.

Fixes #18847 (closed) Fixes #23140 (closed)

Merge request reports

Loading