[ZBXNEXT-1377] Make api_jsonrpc.php allow cross-site ajax requests (cors) Created: 2011 Jun 09  Updated: 2014 Jul 17  Resolved: 2014 Jul 11

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: API (A)
Affects Version/s: None
Fix Version/s: None

Type: New Feature Request Priority: Minor
Reporter: Alexey Fukalov Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates ZBX-8459 Zabbix API doesn't support OPTION req... Closed

 Comments   
Comment by Alexey Fukalov [ 2011 Jun 09 ]

dev branch: ZBX-3871

Comment by Aleksandrs Saveljevs [ 2011 Jun 09 ]

Why did we need to do this? Is it required by Zabbix itself?

Comment by Alexey Fukalov [ 2011 Jun 09 ]

It's not nedded by Zabbix itself, but it allows to perform ajax api requests from domains different from Zabbix frontend domain.
https://developer.mozilla.org/En/HTTP_Access_Control

Comment by richlv [ 2011 Aug 09 ]

what's the status of this one ?

Comment by Pavels Jelisejevs (Inactive) [ 2011 Dec 07 ]

We've discussed it with Vedmak and decided, that allowing the API to receive requests from any domain is a really bad idea from the security point of view.

It would be nice to implement some kind of settings to allow the users to specify, which domains may have access to the API. I may open some interesting perspectives for 3rd party developers.

Comment by Onno Steenbergen [ 2012 Aug 01 ]

As I needed it I decided to adjust the JSON RPC to allow for cross domain scripting.

Here are my changes to the api_jsonrpc.php file:

<?php
//WHICH DOMAINS DO WE ALLOW
define('AJAX_ORIGIN','http://example.com');

define('ZBX_RPC_REQUEST', 1);
require_once dirname(_FILE_).'/include/config.inc.php';

$allowed_content = array(
'application/json-rpc' => 'json-rpc',
'application/json' => 'json-rpc',
'application/jsonrequest' => 'json-rpc',
// 'application/xml-rpc' => 'xml-rpc',
// 'application/xml' => 'xml-rpc',
// 'application/xmlrequest' => 'xml-rpc'
);
?>
<?php

$http_request = new CHTTP_request();
$content_type = $http_request->header('Content-Type');
$content_type = explode(';', $content_type);
$content_type = $content_type[0];

//CHECK FOR AN ACCESS REQUEST
$access_control = $http_request->header('Access-Control-Request-Method');
if(!empty($access_control))

{ //WE ALLOW THE REQUEST header("Access-Control-Allow-Origin: " . AJAX_ORIGIN); //BUT ONLY POST AND OPTIONS header("Access-Control-Allow-Methods: POST, OPTIONS"); //AND THE CONTENT-TYPE IS ALLOWED header("Access-Control-Allow-Headers: Content-Type"); header("Access-Control-Allow-Credentials: false"); //DO NOT DO THE CHECK EVERY REQUEST header("Access-Control-Max-Age: 60"); exit(); }

if(!isset($allowed_content[$content_type]))

{ header('HTTP/1.0 412 Precondition Failed'); exit(); }

$data = $http_request->body();
if($allowed_content[$content_type] == 'json-rpc')

{ header('Content-Type: application/json'); //EVERY RESPONSE SHOULD ALLOW THIS ORIGIN //OTHERWISE BROWSERS SHOW EMPTY CONTENTS header("Access-Control-Allow-Origin: " . AJAX_ORIGIN); $jsonRpc = new CJSONrpc($data); print($jsonRpc->execute()); }

else if($allowed_content[$content_type] == 'xml-rpc'){
}

Comment by Pavels Jelisejevs (Inactive) [ 2014 Jul 10 ]

A related issue - ZBX-8459.

Comment by Andrejs Čirkovs (Inactive) [ 2014 Jul 11 ]

CLOSED by ZBX-8459.

Generated at Thu Apr 25 22:52:31 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.