Skip to end of banner
Go to start of banner

Allow Origin (domain whitelist)

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Background

Initial ticket: 

Error rendering macro 'jira' : Unable to locate Jira server for this macro. It may be due to Application Link configuration.

To prevent cross site data interception, 'Origin' header whitelist has been implemented for API queries

Technical Details

Whitelist can be configured in WMS Settings > PBX > Security

Settings are stored in /rw2/etc/pbx/http-security.conf

Different domains are supported for configuration e.g.

Origin: 'https://pbx.wildix.com' & Wildix Chrome Extension: chrome-extension://lobgohpoobpijgfegnlhdnppegdbomkn  are hardcoded in whitelist

During feature implementation following changes were made:

  • closed the ability to receive answers in the iframe: set header 'X-Frame-Options' to 'DENY'
  • closed cross domain query on Collaboration scripts:
    • /collaboration/index.php
    • /features/features_user.php
  • opened all requests from Origin: 'https://pbxs.wildix.com'
  • return an empty response to all requests api, if the Origin is not from the whitelist

Attention

Partners must be informed that any webapi / pbxapi integration will stop working if the domain is not added to the whitelist

  • No labels