fiftyone icon indicating copy to clipboard operation
fiftyone copied to clipboard

Published 20 hours ago verified publisher icon voxel51

[BUG] Web App POST missing Referer

Open hieutomra opened this issue 1 year ago • 4 comments

In our case, we host our Fiftyone App inside Azure App Service (running as docker container) with authentication against Entra ID. Everything worked except that the fiftyone web app javascript do POST for graphql and events but missing Referer in the header, and such request seems to be blocked by Azure App Service

image

I found this by comparing header between a working POST and a fiftyone failing one:

POST / HTTP/1.1
Host: REDACTED.azurewebsites.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Origin: https://REDACTED.azurewebsites.net
DNT: 1
Connection: keep-alive
Referer: https://REDACTED.azurewebsites.net/
Cookie: AppServiceAuthSession=REDACTED
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1

Failing one from fiftyone javascript:

POST /foSession/hieu/events HTTP/1.1
Host: REDACTED.azurewebsites.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 305
Origin: https://REDACTED.azurewebsites.net
DNT: 1
Connection: keep-alive
Cookie: AppServiceAuthSession=REDACTED
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Sec-GPC: 1

And to confirm, I added the Referer to the header of fiftyone POST and the POST succeed.

This should be quite easy to fix if you know where in the code those POST are triggered.

System information

  • OS Platform and Distribution: Ubuntu 20.04 (docker)
  • Python version : 3.10
  • FiftyOne version : 0.24.0

hieutomra avatar Jun 27 '24 11:06 hieutomra

Hi @hieutomra. We can look into adding Referer, but as this is an environment that open source is not tested in we cannot guarantee support. The open source project is designed for individual use.

If you have a team, please reach out! 🚀

benjaminpkane avatar Jun 27 '24 15:06 benjaminpkane

I understand. If you can point me to where I can start, I can give it a try and potentially do a PR.

hieutomra avatar Jun 27 '24 22:06 hieutomra

Seems similar to #1668

hieutomra avatar Jun 27 '24 22:06 hieutomra

Seems similar to #1668

Unrelated. That was in issue related to our CVAT integration. The fetch function is in @fiftyone/utilities ./app package. We can take a look at a PR, if the changes are minimal

benjaminpkane avatar Jul 01 '24 15:07 benjaminpkane