Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PHP CORS Proxy #1546

Merged
merged 8 commits into from
Jul 12, 2024
Merged

PHP CORS Proxy #1546

merged 8 commits into from
Jul 12, 2024

Conversation

adamziel
Copy link
Collaborator

@adamziel adamziel commented Jun 29, 2024
edited
Loading

Description

Ships a PHP-based CORS proxy we'll need to integrate git clone via fetch().

Usage

  1. Run dev.sh to start a local server, then go to http://127.0.0.1:5263/proxy.php/https://w.org/ and confirm it worked.
  2. Request http://127.0.0.1:5263/proxy.php/https://w.org/?test=1 to get the response from https://w.org/?test=1 plus the CORS headers.

Technical Design

Assumptions:

  • Run on a separate hostname for increased origin separation, like playground-proxy.wordpress.net. Do not use a subdomain, like proxy.playground.wordpress.net.
  • Stream data both ways, don't buffer.
  • Don't pass auth headers in either direction.
  • Refuse to request private IPs.
  • Refuse to process non-GET non-POST non-OPTIONS requests.
  • Refuse to process POST request body larger than, say, 100KB.
  • Refuse to process responses larger than, say, 100MB.

Follow-up work

  • Start a server at playground-proxy.wordpress.net.
  • Implement rate limiting (could be at the hosting platform level).

Testing instructions

  • Run dev.sh to start a local server, then go to http://127.0.0.1:5263/proxy.php/https://w.org/ and confirm it worked.
  • Run test.sh to run PHPUnit tests, confirm they all pass.

See #1467
@adamziel
Explore: PHP CORS Proxy
b7fcdb3 
Work in progress.

To integrate [git clone](https://adamadam.blog/2024/06/21/cloning-a-git-repository-from-a-web-browser-using-fetch/)
via `fetch()`, we need a CORS proxy. This PR explores an implementation.

Assumptions:

* It will run on a separate hostname – ideally not even a subdomain
* No auth headers should make it through either way
* No requests to private IPs
* Stream data both ways, don't buffer

Remaining work:

* For now, refuse to process non-GET non-POST non-OPTIONS requests
* Refuse to process POST request body larger than, say, 100KB
* Refuse to process responses larger than, say, 100MB
* Smart rate limiting
* Support for query args
* More unit tests

See #1467
@adamziel adamziel linked an issue Jun 29, 2024 that may be closed by this pull request
PHP feature parity #763
Open
28 tasks
@adamziel adamziel removed a link to an issue Jun 29, 2024
PHP feature parity #763
Open
28 tasks
@adamziel adamziel self-assigned this Jul 10, 2024
@adamziel adamziel marked this pull request as ready for review July 11, 2024 11:18
@adamziel adamziel changed the title Explore: PHP CORS Proxy Jul 11, 2024
@adamziel
Copy link
Collaborator Author

I'll go ahead and merge. I'm happy to revisit if you have more feedback @brandonpayton @bgrgicak
@adamziel adamziel merged commit 126f0e2 into trunk Jul 12, 2024
5 checks passed
@adamziel adamziel deleted the explore-php-cors-proxy branch July 12, 2024 13:25
@adamziel adamziel mentioned this pull request Aug 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
[Aspect] Website [Type] Enhancement New feature or request
2 participants
@adamziel @bgrgicak