[SEC] restrict CORS to authorized extension IDs

RaoufGhrissi · RaoufGhrissi · commit 4b8e8939977c · 2026-04-02T19:04:01.000+02:00
Fixes a security issue where any Firefox extension (moz-extension://.*) could access the ActivityWatch server without any restriction. Previously, the CORS configuration included a wildcard for all Mozilla extensions by default. This commit removes that blanket permission and introduces granular control through both static configuration and the Web UI. We've added 2 new fields to the file configuration (cors_allow_aw_chrome_extension and cors_allow_all_mozilla_extension) and 4 new settings to the Web UI (Fixed origins, Regex origins, and extension-specific shortcuts). The server now merges these settings to determine the final set of authorized origins, ensuring a more secure and flexible configuration. Dependent on: ActivityWatch/aw-webui#795
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,5 @@ NDK
 *.sqlite*
 *.db
 *.db-journal
+
+.vscode
diff --git a/README.md b/README.md
@@ -60,16 +60,22 @@ Available options:
 
 # Additional regex CORS origins to allow (e.g. for sideloaded browser extensions)
 #cors_regex = ["chrome-extension://yourextensionidhere"]
+
+# Allow official ActivityWatch Chrome extension? (default: true)
+#cors_allow_aw_chrome_extension = true
+
+# Allow all Firefox extensions? (default: false, DANGEROUS)
+#cors_allow_all_mozilla_extension = false
 ```
 
 #### Custom CORS Origins
 
 By default, the server allows requests from:
 - The server's own origin (`http://127.0.0.1:<port>`, `http://localhost:<port>`)
-- The official Chrome extension (`chrome-extension://nglaklhklhcoonedhgnpgddginnjdadi`)
-- All Firefox extensions (`moz-extension://.*`)
+- The official Chrome extension (`chrome-extension://nglaklhklhcoonedhgnpgddginnjdadi`) if `cors_allow_aw_chrome_extension` is true (default).
+- All Firefox extensions (`moz-extension://.*`) ONLY IF `cors_allow_all_mozilla_extension` is set to true.
 
-To allow additional origins (e.g. a sideloaded Chrome extension), add them to your config:
+To allow additional origins (e.g. a sideloaded Chrome extension), add them to your `cors` or `cors_regex` config:
 
 ```toml
 # Allow a specific sideloaded Chrome extension
diff --git a/aw-server/src/config.rs b/aw-server/src/config.rs
@@ -36,6 +36,12 @@ pub struct AWConfig {
     #[serde(default = "default_cors")]
     pub cors_regex: Vec<String>,
 
+    #[serde(default = "default_true")]
+    pub cors_allow_aw_chrome_extension: bool,
+
+    #[serde(default = "default_false")]
+    pub cors_allow_all_mozilla_extension: bool,
+
     // A mapping of watcher names to paths where the
     // custom visualizations are located.
     #[serde(default = "default_custom_static")]
@@ -50,6 +56,8 @@ impl Default for AWConfig {
             testing: default_testing(),
             cors: default_cors(),
             cors_regex: default_cors(),
+            cors_allow_aw_chrome_extension: default_true(),
+            cors_allow_all_mozilla_extension: default_false(),
             custom_static: default_custom_static(),
         }
     }
@@ -91,6 +99,14 @@ fn default_testing() -> bool {
     is_testing()
 }
 
+fn default_true() -> bool {
+    true
+}
+
+fn default_false() -> bool {
+    false
+}
+
 fn default_port() -> u16 {
     if is_testing() {
         5666
diff --git a/aw-server/src/endpoints/cors.rs b/aw-server/src/endpoints/cors.rs
@@ -9,19 +9,24 @@ pub fn cors(config: &AWConfig) -> rocket_cors::Cors {
     let mut allowed_exact_origins = vec![root_url, root_url_localhost];
     allowed_exact_origins.extend(config.cors.clone());
 
-    if config.testing {
-        allowed_exact_origins.push("http://127.0.0.1:27180".to_string());
-        allowed_exact_origins.push("http://localhost:27180".to_string());
+    let mut allowed_regex_origins = config.cors_regex.clone();
+
+    if config.cors_allow_aw_chrome_extension {
+        allowed_regex_origins.push("chrome-extension://nglaklhklhcoonedhgnpgddginnjdadi".to_string());
     }
-    let mut allowed_regex_origins = vec![
-        "chrome-extension://nglaklhklhcoonedhgnpgddginnjdadi".to_string(),
+
+    if config.cors_allow_all_mozilla_extension {
         // Every version of a mozilla extension has its own ID to avoid fingerprinting, so we
         // unfortunately have to allow all extensions to have access to aw-server
-        "moz-extension://.*".to_string(),
-    ];
-    allowed_regex_origins.extend(config.cors_regex.clone());
+        allowed_regex_origins.push("moz-extension://.*".to_string());
+    }
+
     if config.testing {
-        allowed_regex_origins.push("chrome-extension://.*".to_string());
+        allowed_exact_origins.extend(vec![
+            "http://127.0.0.1:27180".to_string(), 
+            "http://localhost:27180".to_string(),
+            "chrome-extension://.*".to_string(),
+        ]);
     }
 
     let allowed_origins = AllowedOrigins::some(&allowed_exact_origins, &allowed_regex_origins);
diff --git a/aw-server/src/endpoints/mod.rs b/aw-server/src/endpoints/mod.rs
@@ -127,11 +127,50 @@ fn get_file(file: PathBuf, state: &State<ServerState>) -> Option<(ContentType, V
     Some((content_type, asset))
 }
 
-pub fn build_rocket(server_state: ServerState, config: AWConfig) -> rocket::Rocket<rocket::Build> {
+pub fn build_rocket(
+    server_state: ServerState,
+    mut config: AWConfig,
+) -> rocket::Rocket<rocket::Build> {
     info!(
         "Starting aw-server-rust at {}:{}",
         config.address, config.port
     );
+    {
+        let db = server_state.datastore.lock().unwrap();
+        let parse_cors_list = |raw: String| -> Vec<String> {
+            serde_json::from_str::<String>(&raw)
+                .unwrap_or_default()
+                .split(',')
+                .map(|s| s.trim().to_string())
+                .filter(|s| !s.is_empty())
+                .collect()
+        };
+        let parse_bool = |raw: String| -> bool {
+            serde_json::from_str::<bool>(&raw)
+                .ok()
+                .or_else(|| {
+                    if raw == "true" {
+                        Some(true)
+                    } else {
+                        Some(false)
+                    }
+                })
+                .unwrap()
+        };
+
+        if let Ok(raw) = db.get_key_value("settings.cors") {
+            config.cors.extend(parse_cors_list(raw));
+        }
+        if let Ok(raw) = db.get_key_value("settings.cors_regex") {
+            config.cors_regex.extend(parse_cors_list(raw));
+        }
+        if let Ok(raw) = db.get_key_value("settings.cors_allow_aw_chrome_extension") {
+            config.cors_allow_aw_chrome_extension |= parse_bool(raw);
+        }
+        if let Ok(raw) = db.get_key_value("settings.cors_allow_all_mozilla_extension") {
+            config.cors_allow_all_mozilla_extension |= parse_bool(raw);
+        }
+    }
     let cors = cors::cors(&config);
     let hostcheck = hostcheck::HostCheck::new(&config);
     let custom_static = config.custom_static.clone();
diff --git a/aw-webui b/aw-webui
@@ -1 +1 @@
-Subproject commit cd5aafe2fdc27e621035621d83d9bcae4b587837
+Subproject commit 9e1a0fefa723150ed361a9cec70a885955773a36
