Document description
Created: April 2018
Permalink:
IMPORTANT: Trusted domains must be added to the domain whitelist! Please note that any Web API / PBX API integration will stop working if the domain is not added.
Introduction
To prevent cross site data interception, 'Origin' header whitelist has been implemented for API queries
Technical Details
Whitelist can be configured in WMS Settings > PBX > Security
Settings are stored in /rw2/etc/pbx/http-security.conf
Different domains are supported for configuration e.g.
http://<domain or ip address> / https://domain or ip address>
http://<domain or ip address>:port / https://<domain or ip address>:port
Note: Origins Wildix Portal: 'https://pbx.wildix.com' & Wildix Chrome Extension: 'chrome-extension://lobgohpoobpijgfegnlhdnppegdbomkn' are hardcoded in whitelist
Note: IP range can't be specified in this case. You just need to input one IP address or domain name.
During feature implementation following changes were made:
- closed the ability to receive answers in the iframe: set header 'X-Frame-Options' to 'DENY'
- closed cross domain query on Collaboration scripts:
- /collaboration/index.php
- /features/features_user.php
- opened all requests from Origin: 'https://pbxs.wildix.com'
- return an empty response to all requests api, if the Origin is not from the whitelist