Hi Ying, AFAIK, CORS headers are something to do with browser implementation/support, here is a list of browsers that support this https://caniuse.com/#feat=cors.
So, to answer your question in short, no, CORS header does not provide protection over curl. On Fri, 29 Jun 2018 at 10:31, Ying Chen <ying.in...@gmail.com> wrote: > Hello - > > So, what you are saying is that - this is something that is protected over > web socket, but not thru the HTTP endpoint? > curl just exercises an http call..... > > Ying > > > > On Mon, Jun 25, 2018 at 9:19 PM, Prabhjyot Singh <prabhjyotsi...@gmail.com > > wrote: > >> Hi Ying, >> >> This config "zeppelin.server.allowed.origins" is to do with setting CORS >> header, which means this will continue to work over curl, but will get >> blocked over any browsers. I've attached a screenshot for reference. >> >> >> [image: Screenshot from 2018-06-26 09-48-23.png] >> >> >> Let me know if this helps. >> >> On Tue, 26 Jun 2018 at 04:07, Ying Chen <ying.in...@gmail.com> wrote: >> >>> Hello - >>> >>> I am in the process of validating some security settings for Zeppelin >>> (0.7.3 w/ HDP 2.6.3) >>> >>> According to: >>> https://zeppelin.apache.org/docs/0.7.0/install/configuration.html >>> zeppelin.server.allowed.origins can be set to only allow requests that >>> is coming from a specific host. >>> >>> I am not sure if I am using this correctly. >>> >>> My HDP system is: my.system.com, >>> running http://my.system.com:9995 - in zeppelin >>> >>> I've updated the advanced zeppelin-config with : >>> zeppelin.server.allowed.origins=https://my.system.com >>> >>> ---------- >>> After restarting - to test: >>> >>> Use curl from my machine: mydesktop.system.com >>> >>> 1. Get a JSESSIONID: >>> curl -i -X POST "http://my.system.com:9995/api/login?password= >>> <passwd>&userName=<uid>" >>> -> retrieve JSESSIONID from cookie. >>> >>> 2. Try a query against api/notebook. (I can get at the security >>> curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/; >>> HttpOnly' http://my.system.com:9995/api/notebook >>> -> This works ... should it? >>> >>> 3. Attempt to add random headers... >>> curl -v -b 'JSESSIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx; Path=/; >>> HttpOnly' -H 'Host: bogus1.referer.com' -H 'Origin: bogus2.referer.com' >>> -H 'Connection: keep-alive' -H 'Referer: http://bogus3.referer.com >>> ' http://my.system.com:9995/api/notebook >>> >>> -> This still works... should it ? >>> >>> The verbose output shows that Host, Referer and Origin has been passed, >>> yet I am not seeing any sort of blocking... >>> >>> > Host: bogus1.referer.com >>> > User-Agent: curl/7.54.0 >>> > Accept: */* >>> > Cookie: JSESSIONID=<sid>; Path=/; HttpOnly >>> > Origin: bogus2.referer.com >>> > Connection: keep-alive >>> > Referer: http://bogus3.referer.com >>> >>> < HTTP/1.1 200 OK >>> < Date: Monday, June 25, 2018 3:16:32 PM PDT >>> < Access-Control-Allow-Origin: >>> < Access-Control-Allow-Credentials: true >>> < Access-Control-Allow-Headers: authorization,Content-Type >>> < Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE >>> < X-FRAME-OPTIONS: SAMEORIGIN >>> < X-XSS-Protection: 1 >>> < Content-Type: application/json >>> < Date: Mon, 25 Jun 2018 22:16:32 GMT >>> < Content-Length: 75 >>> < Server: Jetty(9.2.15.v20160210) >>> < >>> >>> >>> Thoughts? >>> >>> Ying >>> >>> >> >> -- >> Thankx and Regards, >> >> Prabhjyot Singh >> > > -- Thankx and Regards, Prabhjyot Singh
