[ZBXNEXT-1377] Make api_jsonrpc.php allow cross-site ajax requests (cors) Created: 2011 Jun 09 Updated: 2014 Jul 17 Resolved: 2014 Jul 11 |
|
Status: | Closed |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | API (A) |
Affects Version/s: | None |
Fix Version/s: | None |
Type: | New Feature Request | Priority: | Minor |
Reporter: | Alexey Fukalov | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | security | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
Comments |
Comment by Alexey Fukalov [ 2011 Jun 09 ] |
dev branch: |
Comment by Aleksandrs Saveljevs [ 2011 Jun 09 ] |
Why did we need to do this? Is it required by Zabbix itself? |
Comment by Alexey Fukalov [ 2011 Jun 09 ] |
It's not nedded by Zabbix itself, but it allows to perform ajax api requests from domains different from Zabbix frontend domain. |
Comment by richlv [ 2011 Aug 09 ] |
what's the status of this one ? |
Comment by Pavels Jelisejevs (Inactive) [ 2011 Dec 07 ] |
We've discussed it with Vedmak and decided, that allowing the API to receive requests from any domain is a really bad idea from the security point of view. It would be nice to implement some kind of settings to allow the users to specify, which domains may have access to the API. I may open some interesting perspectives for 3rd party developers. |
Comment by Onno Steenbergen [ 2012 Aug 01 ] |
As I needed it I decided to adjust the JSON RPC to allow for cross domain scripting. Here are my changes to the api_jsonrpc.php file: <?php define('ZBX_RPC_REQUEST', 1); $allowed_content = array( $http_request = new CHTTP_request(); //CHECK FOR AN ACCESS REQUEST if(!isset($allowed_content[$content_type])) { header('HTTP/1.0 412 Precondition Failed'); exit(); }$data = $http_request->body(); else if($allowed_content[$content_type] == 'xml-rpc'){ |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Jul 10 ] |
A related issue - |
Comment by Andrejs Čirkovs (Inactive) [ 2014 Jul 11 ] |
CLOSED by |