OPTIONS request requires authentication
sbluhm opened this issue · comments
When an OPTIONS request is received, the server requires authentication. This will cause CORS requests to fail.
See https://www.jujens.eu/posts/en/2015/Jun/27/webdav-options/
Test: curl -i -X OPTIONS https://www.example.com
Result:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="My Server"
Content-Type: text/html
Expectation:
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 0
Accept: OPTIONS, GET, HEAD, DELETE, PROPFIND, PUT, PROPPATCH, COPY, MOVE, LOCK, UNLOCK
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1980 00:00:00 GMT
Server: couling-webdavd
Accept-Ranges: bytes
DAV: 1
Content-Type: text/html
Do you have any steps to reproduce in terms of it's affect on CORS?
The current behaviour is as designed as this has security implications:
RFC 4918 section 18 states:
Note particularly that resources, rather than
servers, are spoken of as being compliant. That is because
theoretically some resources on a server could support different
feature sets. For example, a server could have a sub-repository
where an advanced feature like versioning was supported, even if that
feature was not supported on all sub-repositories.
So the design decision to hide this behind authentication was to avoid exposing information about the existence of underlying resources.
The current code responds with a uniform response to OPTIONS
requests irrespective of URL. (see here) however if the server is placed behind a reverse proxy it could expose a DAV server to unauthenticated users which may not be desirable.
It might take a significant code change to make this work but I think it would be okay to make this configurable leaving the current behaviour by default.
You will get "unidentifyable" errors in Firefox and Chrome that are blocking the request mentioning CORS but also indicating an underlying network issue.
I did the code change and am currently testing it (whilst working on other CORS challenges like the header implementation). I think I found an easy change. Let me adapt the code to make it configure-able and test some more.
This is my approach:
https://github.com/sbluhm/WebDAV-Daemon/blob/no-auth-options/webdavd.c#L1775
Merged