-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running in GitHub Codespaces #1542
Comments
I am working on this for #SymfonyHackday |
If it is executed as part of the updateContentCommand step, the container creation fails. importmap:install is executed by composer install though (part of the auto-scripts), which executes just fine in Codespaces. Fixes symfony#1542 Co-authored-by: Wolfgang Weintritt <w.weintritt@justimmo.at>
PR #1544 fixes the crash when starting a Codespace. But there is another issue in Codespace: The Router generates absolute URLs with the port number included, which doesn't work in Codespace. I am not that familiar wit the Routing component, maybe somebody else can take a look at it? |
It's to be due to the proxy provided by Codespace. This can be solved by setting one the trusted proxies:
I'm not sure what would be the best for this project:
After that, there is still an issue with CSRF protection. |
…xgrundnig) This PR was merged into the main branch. Discussion ---------- Remove importmap:install command from devcontainer.json If it is executed as part of the updateContentCommand step, the container creation fails. importmap:install is executed by composer install though (part of the auto-scripts), which executes just fine in Codespaces. Part of #1542 Commits ------- 7271753 Remove importmap:install command from devcontainer.json
@nicolas-grekas after fixing trusted proxies in #1550, I did not find how to fix CSRF protection. The attribute |
can you try adding this to the login form? -<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}"/>
+<input type="hidden" name="_csrf_token" data-controller="csrf-protection" value="{{ csrf_token('authenticate') }}"/> |
This PR was squashed before being merged into the main branch. Discussion ---------- Set trusted proxies for running in Codespace Part of #1542 GitHub Codespaces runs the application behind a proxy. In order to get correctly generated URLs, proxy headers must be allowed. Also update to PHP 8.4 Commits ------- d09b66a Set trusted proxies for running in Codespace
The CSRF error logged is The
It works if I change the - $source = $request->headers->get('Origin') ?? $request->headers->get('Referer') ?? 'null';
+ $source = $request->headers->get('Referer') ?? 'null'; |
@GromNaN are your trusted proxies configured properly ? |
Yes, they have been configured in #1550 |
It seems to be an issue with Codespace: https://github.com/orgs/community/discussions/147513 |
GitHub Codespaces port-forwarding proxy as a specific behavior regarding the I made this basic page for testing: <form method="POST"><input type=submit></form>
<pre><?php print_r($_SERVER); ?></pre> And running in Codespaces: php -S 127.0.0.1:8003 index.php Making the port forwarding public for testing easily with Testing with the correct curl -X POST https://orange-space-palm-tree-rwp96p7p7f57j9-8003.app.github.dev/ -H "Origin: https://orange-space-palm-tree-rwp96p7p7f57j9-8003.app.github.dev" -s|grep HTTP_ORIGIN
[HTTP_ORIGIN] => http://localhost:8003 Testing with an other curl -X POST https://orange-space-palm-tree-rwp96p7p7f57j9-8003.app.github.dev/ -H "Origin: http://example.com" -s|grep HTTP_ORIGIN
[HTTP_ORIGIN] => http://example.com If I set the curl -X POST https://orange-space-palm-tree-rwp96p7p7f57j9-8003.app.github.dev/ -H "Origin: https://orange-space-palm-tree-rwp96p7p7f57j9-8003.app.github.dev" -s|grep HTTP_ORIGIN
[HTTP_ORIGIN] => http://localhost:8003 Rails and Django have the same issue and the solution is to skip CSRF protection 😕 or configure a trusted origin. I think we should add an option to "trust the proxy" for the |
…in" (nicolas-grekas) This PR was merged into the 7.2 branch. Discussion ---------- [Security/Csrf] Trust "Referer" at the same level as "Origin" | Q | A | ------------- | --- | Branch? | 7.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | symfony/demo#1542 | License | MIT As hinted by `@GromNaN` in symfony/demo#1542 (comment), there are proxies that mess up with the `Origin` header, but forward a valid `Referer` header. Since both headers have the same level of trust, I'm proposing to trust them both equally. At the moment, `Origin` overrides `Referer`. With this PR, we check both and accept if just `Referer` matches. Commits ------- 6cd974b [Security/Csrf] Trust "Referer" at the same level as "Origin"
GitHub Codespaces is a good solution to run and try modifying the application without installing anything the desktop. Part of the support was added by #1369
But it doesn't work anymore, we get the following message when starting a codespace.
What we need to achieve with codespace:
The text was updated successfully, but these errors were encountered: