OPTIONS request requires authentication

Question

OPTIONS request requires authentication

sbluhm opened this issue 4 years ago · comments

When an OPTIONS request is received, the server requires authentication. This will cause CORS requests to fail.

See https://www.jujens.eu/posts/en/2015/Jun/27/webdav-options/

Test: curl -i -X OPTIONS https://www.example.com
Result:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="My Server"
Content-Type: text/html

Expectation:

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 0
Accept: OPTIONS, GET, HEAD, DELETE, PROPFIND, PUT, PROPPATCH, COPY, MOVE, LOCK, UNLOCK
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1980 00:00:00 GMT
Server: couling-webdavd
Accept-Ranges: bytes
DAV: 1
Content-Type: text/html

sbluhm commented 4 years ago

#12

Philip Couling commented 3 years ago

Merged

Philip Couling · Answer 1 · Mon Sep 21 2020 04:48:50 GMT+0800 (China Standard Time)

Do you have any steps to reproduce in terms of it's affect on CORS?

The current behaviour is as designed as this has security implications:

RFC 4918 section 18 states:

Note particularly that resources, rather than
servers, are spoken of as being compliant. That is because
theoretically some resources on a server could support different
feature sets. For example, a server could have a sub-repository
where an advanced feature like versioning was supported, even if that
feature was not supported on all sub-repositories.

So the design decision to hide this behind authentication was to avoid exposing information about the existence of underlying resources.

The current code responds with a uniform response to OPTIONS requests irrespective of URL. (see here) however if the server is placed behind a reverse proxy it could expose a DAV server to unauthenticated users which may not be desirable.

It might take a significant code change to make this work but I think it would be okay to make this configurable leaving the current behaviour by default.

sbluhm · Answer 2 · Mon Sep 21 2020 13:21:00 GMT+0800 (China Standard Time)

You will get "unidentifyable" errors in Firefox and Chrome that are blocking the request mentioning CORS but also indicating an underlying network issue.

I did the code change and am currently testing it (whilst working on other CORS challenges like the header implementation). I think I found an easy change. Let me adapt the code to make it configure-able and test some more.

This is my approach:
https://github.com/sbluhm/WebDAV-Daemon/blob/no-auth-options/webdavd.c#L1775