Html |
---|
<div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.11'; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> |
...
Info |
---|
This Admin Instruction explains how to configure domain whitelist to protect PBX from cross-site request forgery (CSRF) attacks. Created: April 2018 Updated: June 2018 WMS Version: 3.88 Permalink: https://confluence.wildix.com/x/SwBuAQ |
Table of Contents |
---|
Warning |
---|
IMPORTANT: Trusted domains must be added to a domain whitelist! Please note that any Web API / PBX API integration will stop working if the domain is not added. |
Warning |
---|
If you are using Firewalls, make sure the following pool of IP addresses is present in your Whitelist for access to Wildix microservices: 3.122.16.10 |
Introduction
The main purpose of adding domains to a whitelist is to protect PBX from cross-site request forgery (CSRF) attacks.
...
To allow such interactions, Cross-origin resource sharing (CORS) is used. It is a standard that allows cross-domain requests. CORS can be defined as a set of headers that allow a browser and server to communicate about which requests are/ are not allowed. The simplest way is to check that the request originates from a trusted site, using Origin request header. For example,
Code Block | ||
---|---|---|
| ||
Origin: https://ucuapbx_name.wildixin.com |
If a server decides that the request should be allowed, it sends Access-Control-Allow-Origin
header with the same origin that was sent. For example,
Code Block | ||
---|---|---|
| ||
Access-Control-Allow-Origin: https://ucuapbx_name.wildixin.com |
If this header is missing or the origins don’t match, then the request is not allowed. If origins match, then a browser processes the request.
...
Whitelist is configured in WMS -> Settings -> PBX -> Security -> CORS.
To configure a domain whitelist:
Enter IP address/ domain name and click + to add the value:
Supported formats of IP address/ domain name:
- http://<domain or IP address> / https://domain or IP address>
- http://<domain or IP address>:port / https://<domain or IP address>:port
Examples:
- https://ucuatestpbx.wildixin.com/
- https://ucuatestpbx.wildixin.com:4443/
http://ucuatestpbx.wildixin.com/
It is also possible to add patterns using asterisk symbol "*" that replaces letters, numbers and dashes:
Examples:- https://*.wildixin.com
*://*.wildixin.com
https://*.*.wildixin.com
Note Note: IP range can't be specified in this case. You just need to enter one IP address.
Note Note: Wildix Portal "https://pbx.wildix.com/" and Wildix Chrome Extension "https://chrome-extension://lobgohpoobpijgfegnlhdnppegdbomkn" are hardcoded in the whitelist, there is no need to add them.
After you enter all the values, click Save:
To delete the value from the list, click X.
...