rc: Added command line parameter to control the cross origin resource sharing (CORS) in the rcd. (Security Improvement)

rc: Import statements


Fixing the problem with test

fs/rc/rc.go

@@ -17,14 +17,15 @@ import (
 
 // Options contains options for the remote control server
 type Options struct {
-	HTTPOptions    httplib.Options
+	HTTPOptions              httplib.Options
-	Enabled        bool   // set to enable the server
+	Enabled                  bool   // set to enable the server
-	Serve          bool   // set to serve files from remotes
+	Serve                    bool   // set to serve files from remotes
-	Files          string // set to enable serving files locally
+	Files                    string // set to enable serving files locally
-	NoAuth         bool   // set to disable auth checks on AuthRequired methods
+	NoAuth                   bool   // set to disable auth checks on AuthRequired methods
-	WebUI          bool   // set to launch the web ui
+	WebUI                    bool   // set to launch the web ui
-	WebGUIUpdate   bool   // set to download new update
+	WebGUIUpdate             bool   // set to download new update
-	WebGUIFetchURL string // set the default url for fetching webgui
+	WebGUIFetchURL           string // set the default url for fetching webgui
+	AccessControlAllowOrigin string // set the access control for CORS configuration
 
 }
 

fs/rc/rcflags/rcflags.go

@@ -23,5 +23,6 @@ func AddFlags(flagSet *pflag.FlagSet) {
 	flags.BoolVarP(flagSet, &Opt.WebUI, "rc-web-gui", "", false, "Launch WebGUI on localhost")
 	flags.BoolVarP(flagSet, &Opt.WebGUIUpdate, "rc-web-gui-update", "", false, "Update / Force update to latest version of web gui")
 	flags.StringVarP(flagSet, &Opt.WebGUIFetchURL, "rc-web-fetch-url", "", "https://api.github.com/repos/rclone/rclone-webui-react/releases/latest", "URL to fetch the releases for webgui.")
+	flags.StringVarP(flagSet, &Opt.AccessControlAllowOrigin, "rc-allow-origin", "", "", "Set the allowed origin for CORS.")
 	httpflags.AddFlagsPrefix(flagSet, "rc-", &Opt.HTTPOptions)
 }

fs/rc/rcserver/rcserver.go

@@ -13,10 +13,6 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/skratchdot/open-golang/open"
-
-	"github.com/rclone/rclone/fs/rc/jobs"
-
 	"github.com/pkg/errors"
 	"github.com/rclone/rclone/cmd/serve/httplib"
 	"github.com/rclone/rclone/cmd/serve/httplib/serve"
@@ -25,6 +21,9 @@ import (
 	"github.com/rclone/rclone/fs/config"
 	"github.com/rclone/rclone/fs/list"
 	"github.com/rclone/rclone/fs/rc"
+	"github.com/rclone/rclone/fs/rc/jobs"
+	"github.com/rclone/rclone/fs/rc/rcflags"
+	"github.com/skratchdot/open-golang/open"
 )
 
 // Start the remote control server if configured
@@ -130,7 +129,15 @@ func writeError(path string, in rc.Params, w http.ResponseWriter, err error, sta
 func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
 	path := strings.TrimLeft(r.URL.Path, "/")
 
-	w.Header().Add("Access-Control-Allow-Origin", "*")
+	allowOrigin := rcflags.Opt.AccessControlAllowOrigin
+	if allowOrigin != "" {
+		if allowOrigin == "*" {
+			fs.Logf(nil, "Warning: Allow origin set to *. This can cause serious security problems.")
+		}
+		w.Header().Add("Access-Control-Allow-Origin", allowOrigin)
+	} else {
+		w.Header().Add("Access-Control-Allow-Origin", s.URL())
+	}
 
 	// echo back access control headers client needs
 	//reqAccessHeaders := r.Header.Get("Access-Control-Request-Headers")

fs/rc/rcserver/rcserver_test.go

@@ -458,7 +458,7 @@ func TestMethods(t *testing.T) {
 		Status:   http.StatusOK,
 		Expected: "",
 		Headers: map[string]string{
-			"Access-Control-Allow-Origin":   "*",
+			"Access-Control-Allow-Origin":   "http://localhost:5572/",
 			"Access-Control-Request-Method": "POST, OPTIONS, GET, HEAD",
 			"Access-Control-Allow-Headers":  "authorization, Content-Type",
 		},