From 87808a3ffefd7c897d3bd0d02eb702ab40ac24a5 Mon Sep 17 00:00:00 2001 From: Midgard Date: Wed, 25 Mar 2020 22:10:19 +0100 Subject: [PATCH] Fix CORS: make mitmproxy intercept OPTIONS Mattermost doesn't support OPTIONS so we have to handle it in our proxy. --- .gitignore | 5 +++++ etc/mitm_cors.py | 29 +++++++++++++++++++++++++++++ rundev.sh | 14 ++++++++++++++ 3 files changed, 48 insertions(+) create mode 100644 .gitignore create mode 100644 etc/mitm_cors.py create mode 100755 rundev.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..68e4d41 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +__pycache__/ +.mypy_cache/ +*.pyc +*.bak +*~ diff --git a/etc/mitm_cors.py b/etc/mitm_cors.py new file mode 100644 index 0000000..aa783cb --- /dev/null +++ b/etc/mitm_cors.py @@ -0,0 +1,29 @@ +# Script for mitmproxy, used in ../rundev.sh. Not meant to be run directly. + +from mitmproxy import http + +# More information about CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS + +ALLOW_ORIGIN = "http://localhost:8000" +ALLOW_HEADERS = "Authorization, *" # Which headers the browser may send +EXPOSE_HEADERS = "Authorization, *" # Which headers the browser may expose to scripts +HIDE_ORIGIN = True + + +def response(flow): + flow.response.headers["Access-Control-Allow-Origin"] = ALLOW_ORIGIN + flow.response.headers["Access-Control-Expose-Headers"] = EXPOSE_HEADERS + +def request(flow): + # Hijack CORS OPTIONS request + if flow.request.method == "OPTIONS": + flow.response = http.HTTPResponse.make(200, b"", { + "Access-Control-Allow-Origin": ALLOW_ORIGIN, + "Access-Control-Allow-Methods": "GET,POST", + "Access-Control-Allow-Headers": ALLOW_HEADERS, + "Access-Control-Max-Age": "10" + }) + + # Privacy + if HIDE_ORIGIN: + flow.request.headers["Origin"] = "null" diff --git a/rundev.sh b/rundev.sh new file mode 100755 index 0000000..ab896d3 --- /dev/null +++ b/rundev.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +MATTERMOST_REMOTE="https://mattermost.zeus.gent" + + +if [[ $MATTERMOST_REMOTE == */ ]]; then + echo "MATTERMOST_REMOTE should not end with a slash (it should only the protocol and the domain; no path)" >&2 + exit 1 +fi + +cd "$(dirname "$0")" + +python3 -m "http.server" >/dev/null 2>&1 & +mitmproxy -s etc/mitm_cors.py -m "reverse:$MATTERMOST_REMOTE"