IntelOwl icon indicating copy to clipboard operation
IntelOwl copied to clipboard
verified publisher icon intelowlproject

Scan history: CSRF error - <url> not in list of trusted origins

Open xofolowski opened this issue 1 year ago • 1 comments

What happened

After setup, intelowl seems to be fully functional when being accessed through a fully qualified domain name via an external SSL enabled reverse proxy. However, on the /scan page, the frontend shows a CSRF error message in the scan history area, complaining about the URL I'm using to access intelowl not being contained in the list of trusted origins.

Environment

  1. OS: Debian 12.5
  2. IntelOwl version: 6.1.0

What did you expect to happen

Scan history should be displayed.

How to reproduce your issue

  • configure intelowl with a fully qualified domain name (INTELOWL_WEB_CLIENT_DOMAIN in env, server_name in nginx configuration files)
  • configure included nginx to serve app on port 80 via plain http; container connected to an additional external docker network
  • configure an already existing second nginx container on that external docker network to act as an SSL enabled reverse proxy for intelowl and multiple additional services
  • set HTTPS_ENABLED=True in environment

Error messages and logs

[CSRF Failed: Origin checking failed - https://<fqdn> does not match any trusted origins]

Potential Solution / Workaround

I was able to get around the issue by applying the following patch to intel_owl/settings/security.py and rebuilding the service:

diff --git a/intel_owl/settings/security.py b/intel_owl/settings/security.py
index e739d463..0e6b4f43 100644
--- a/intel_owl/settings/security.py
+++ b/intel_owl/settings/security.py
@@ -19,6 +19,7 @@ else:
     WEB_CLIENT_URL = f"http://{WEB_CLIENT_DOMAIN}"

 CSRF_COOKIE_SAMESITE = "Strict"
+CSRF_TRUSTED_ORIGINS = [f"{WEB_CLIENT_URL}"]

 if STAGE_LOCAL:
     # required to allow requests from port 3001 (frontend development)

xofolowski avatar Sep 30 '24 22:09 xofolowski

hey thanks for reporting! considering that you found the issue, would you like to open a little PR about that? so you can become an official contributor!

mlodic avatar Oct 18 '24 13:10 mlodic

Hi, well, guess that was not a major contribution ;-) I've created https://github.com/intelowlproject/IntelOwl/pull/2551 Apologies if anything is missing - I'm kind of a very basic git user and not yet that experienced with contributing to projects.

xofolowski avatar Oct 22 '24 19:10 xofolowski