ZABBIX FEATURE REQUESTS
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-1377

Make api_jsonrpc.php allow cross-site ajax requests (cors)

    Details

    • Type: New Feature Request New Feature Request
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: API (A)
    • Labels:

      Issue Links

        Activity

        Hide
        Alexey Fukalov added a comment -

        dev branch: ZBX-3871

        Show
        Alexey Fukalov added a comment - dev branch: ZBX-3871
        Hide
        Aleksandrs Saveljevs added a comment -

        Why did we need to do this? Is it required by Zabbix itself?

        Show
        Aleksandrs Saveljevs added a comment - Why did we need to do this? Is it required by Zabbix itself?
        Hide
        Alexey Fukalov added a comment -

        It's not nedded by Zabbix itself, but it allows to perform ajax api requests from domains different from Zabbix frontend domain.
        https://developer.mozilla.org/En/HTTP_Access_Control

        Show
        Alexey Fukalov added a comment - It's not nedded by Zabbix itself, but it allows to perform ajax api requests from domains different from Zabbix frontend domain. https://developer.mozilla.org/En/HTTP_Access_Control
        Hide
        richlv added a comment -

        what's the status of this one ?

        Show
        richlv added a comment - what's the status of this one ?
        Hide
        Pavels Jelisejevs (Inactive) added a comment -

        We've discussed it with Vedmak and decided, that allowing the API to receive requests from any domain is a really bad idea from the security point of view.

        It would be nice to implement some kind of settings to allow the users to specify, which domains may have access to the API. I may open some interesting perspectives for 3rd party developers.

        Show
        Pavels Jelisejevs (Inactive) added a comment - We've discussed it with Vedmak and decided, that allowing the API to receive requests from any domain is a really bad idea from the security point of view. It would be nice to implement some kind of settings to allow the users to specify, which domains may have access to the API. I may open some interesting perspectives for 3rd party developers.
        Hide
        Onno Steenbergen added a comment -

        As I needed it I decided to adjust the JSON RPC to allow for cross domain scripting.

        Here are my changes to the api_jsonrpc.php file:

        <?php
        //WHICH DOMAINS DO WE ALLOW
        define('AJAX_ORIGIN','http://example.com');

        define('ZBX_RPC_REQUEST', 1);
        require_once dirname(_FILE_).'/include/config.inc.php';

        $allowed_content = array(
        'application/json-rpc' => 'json-rpc',
        'application/json' => 'json-rpc',
        'application/jsonrequest' => 'json-rpc',
        // 'application/xml-rpc' => 'xml-rpc',
        // 'application/xml' => 'xml-rpc',
        // 'application/xmlrequest' => 'xml-rpc'
        );
        ?>
        <?php

        $http_request = new CHTTP_request();
        $content_type = $http_request->header('Content-Type');
        $content_type = explode(';', $content_type);
        $content_type = $content_type[0];

        //CHECK FOR AN ACCESS REQUEST
        $access_control = $http_request->header('Access-Control-Request-Method');
        if(!empty($access_control))

        { //WE ALLOW THE REQUEST header("Access-Control-Allow-Origin: " . AJAX_ORIGIN); //BUT ONLY POST AND OPTIONS header("Access-Control-Allow-Methods: POST, OPTIONS"); //AND THE CONTENT-TYPE IS ALLOWED header("Access-Control-Allow-Headers: Content-Type"); header("Access-Control-Allow-Credentials: false"); //DO NOT DO THE CHECK EVERY REQUEST header("Access-Control-Max-Age: 60"); exit(); }

        if(!isset($allowed_content[$content_type]))

        { header('HTTP/1.0 412 Precondition Failed'); exit(); }

        $data = $http_request->body();
        if($allowed_content[$content_type] == 'json-rpc')

        { header('Content-Type: application/json'); //EVERY RESPONSE SHOULD ALLOW THIS ORIGIN //OTHERWISE BROWSERS SHOW EMPTY CONTENTS header("Access-Control-Allow-Origin: " . AJAX_ORIGIN); $jsonRpc = new CJSONrpc($data); print($jsonRpc->execute()); }

        else if($allowed_content[$content_type] == 'xml-rpc'){
        }

        Show
        Onno Steenbergen added a comment - As I needed it I decided to adjust the JSON RPC to allow for cross domain scripting. Here are my changes to the api_jsonrpc.php file: <?php //WHICH DOMAINS DO WE ALLOW define('AJAX_ORIGIN','http://example.com'); define('ZBX_RPC_REQUEST', 1); require_once dirname(_ FILE _).'/include/config.inc.php'; $allowed_content = array( 'application/json-rpc' => 'json-rpc', 'application/json' => 'json-rpc', 'application/jsonrequest' => 'json-rpc', // 'application/xml-rpc' => 'xml-rpc', // 'application/xml' => 'xml-rpc', // 'application/xmlrequest' => 'xml-rpc' ); ?> <?php $http_request = new CHTTP_request(); $content_type = $http_request->header('Content-Type'); $content_type = explode(';', $content_type); $content_type = $content_type [0] ; //CHECK FOR AN ACCESS REQUEST $access_control = $http_request->header('Access-Control-Request-Method'); if(!empty($access_control)) { //WE ALLOW THE REQUEST header("Access-Control-Allow-Origin: " . AJAX_ORIGIN); //BUT ONLY POST AND OPTIONS header("Access-Control-Allow-Methods: POST, OPTIONS"); //AND THE CONTENT-TYPE IS ALLOWED header("Access-Control-Allow-Headers: Content-Type"); header("Access-Control-Allow-Credentials: false"); //DO NOT DO THE CHECK EVERY REQUEST header("Access-Control-Max-Age: 60"); exit(); } if(!isset($allowed_content [$content_type] )) { header('HTTP/1.0 412 Precondition Failed'); exit(); } $data = $http_request->body(); if($allowed_content [$content_type] == 'json-rpc') { header('Content-Type: application/json'); //EVERY RESPONSE SHOULD ALLOW THIS ORIGIN //OTHERWISE BROWSERS SHOW EMPTY CONTENTS header("Access-Control-Allow-Origin: " . AJAX_ORIGIN); $jsonRpc = new CJSONrpc($data); print($jsonRpc->execute()); } else if($allowed_content [$content_type] == 'xml-rpc'){ }
        Hide
        Pavels Jelisejevs (Inactive) added a comment -

        A related issue - ZBX-8459.

        Show
        Pavels Jelisejevs (Inactive) added a comment - A related issue - ZBX-8459 .
        Hide
        Andrejs Čirkovs (Inactive) added a comment -

        CLOSED by ZBX-8459.

        Show
        Andrejs Čirkovs (Inactive) added a comment - CLOSED by ZBX-8459 .

          People

          • Assignee:
            Unassigned
            Reporter:
            Alexey Fukalov
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: