Background
Initial ticket:
Error rendering macro 'jira' : Unable to locate Jira server for this macro. It may be due to Application Link configuration.
To prevent cross site data interception, 'Origin' header whitelist has been implemented for API queries
Technical Details
Whitelist can be configured in WMS Settings > PBX > Security
Settings are stored in /rw2/etc/pbx/http-security.conf
Different domains are supported for configuration e.g.
Origins Wildix Portal: 'https://pbx.wildix.com' & Wildix Chrome Extension: 'chrome-extension://lobgohpoobpijgfegnlhdnppegdbomkn' are hardcoded in whitelist
During feature implementation following changes were made:
- closed the ability to receive answers in the iframe: set header 'X-Frame-Options' to 'DENY'
- closed cross domain query on Collaboration scripts:
- /collaboration/index.php
- /features/features_user.php
- opened all requests from Origin: 'https://pbxs.wildix.com'
- return an empty response to all requests api, if the Origin is not from the whitelist
Attention
Partners must be informed that any webapi / pbxapi integration will stop working if the domain is not added to the whitelist