allow configure HTTPVirtualHosts and HTTPCors settings

node/node.go

@@ -127,9 +127,7 @@ func newGethNodeConfig(config *params.NodeConfig) (*node.Config, error) {
 			MaxPeers:        config.MaxPeers,
 			MaxPendingPeers: config.MaxPendingPeers,
 		},
-		HTTPCors:         nil,
-		HTTPModules:      config.FormatAPIModules(),
-		HTTPVirtualHosts: []string{"localhost"},
+		HTTPModules: config.FormatAPIModules(),
 	}
 
 	if config.IPCEnabled {
@@ -144,6 +142,8 @@ func newGethNodeConfig(config *params.NodeConfig) (*node.Config, error) {
 	if config.HTTPEnabled {
 		nc.HTTPHost = config.HTTPHost
 		nc.HTTPPort = config.HTTPPort
+		nc.HTTPVirtualHosts = config.HTTPVirtualHosts
+		nc.HTTPCors = config.HTTPCors
 	}
 
 	if config.ClusterConfig.Enabled {

node/node_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/ethereum/go-ethereum/p2p/discover"
+	"github.com/status-im/status-go/params"
 	. "github.com/status-im/status-go/t/utils"
 	"github.com/stretchr/testify/require"
 	"github.com/syndtr/goleveldb/leveldb"
@@ -68,3 +69,16 @@ func TestParseNodesToNodeID(t *testing.T) {
 	require.Len(t, nodeIDs, 1)
 	require.Equal(t, discover.NodeID{1}, nodeIDs[0])
 }
+
+func TestNewGethNodeConfig(t *testing.T) {
+	config, err := params.NewNodeConfig("", params.RopstenNetworkID)
+	require.NoError(t, err)
+	config.HTTPEnabled = true
+	config.HTTPVirtualHosts = []string{"my.domain.com"}
+	config.HTTPCors = []string{"http://my.domain.com"}
+
+	nc, err := newGethNodeConfig(config)
+	require.NoError(t, err)
+	require.Equal(t, []string{"my.domain.com"}, nc.HTTPVirtualHosts)
+	require.Equal(t, []string{"http://my.domain.com"}, nc.HTTPCors)
+}

params/config.go

@@ -212,6 +212,20 @@ type NodeConfig struct {
 	// HTTPPort is the TCP port number on which to start the Geth's HTTP RPC server.
 	HTTPPort int
 
+	// HTTPVirtualHosts is the list of virtual hostnames which are allowed on incoming requests.
+	// This is by default {'localhost'}. Using this prevents attacks like
+	// DNS rebinding, which bypasses SOP by simply masquerading as being within the same
+	// origin. These attacks do not utilize CORS, since they are not cross-domain.
+	// By explicitly checking the Host-header, the server will not allow requests
+	// made against the server with a malicious host domain.
+	// Requests using an IP address directly are not affected.
+	HTTPVirtualHosts []string
+
+	// HTTPCors is the Cross-Origin Resource Sharing header to send to requesting
+	// clients. Please be aware that CORS is a browser enforced security, it's fully
+	// useless for custom HTTP clients.
+	HTTPCors []string
+
 	// IPCEnabled specifies whether IPC-RPC Server is enabled or not
 	IPCEnabled bool
 
@@ -399,6 +413,7 @@ func NewNodeConfig(dataDir string, networkID uint64) (*NodeConfig, error) {
 		Version:               Version,
 		HTTPHost:              "localhost",
 		HTTPPort:              8545,
+		HTTPVirtualHosts:      []string{"localhost"},
 		ListenAddr:            ":0",
 		APIModules:            "eth,net,web3,peer",
 		MaxPeers:              25,

params/config_test.go

@@ -353,6 +353,34 @@ func TestNodeConfigValidate(t *testing.T) {
 			}`,
 			Error: "PFSEnabled is true, but InstallationID is empty",
 		},
+		{
+			Name: "Default HTTP virtual hosts is localhost and CORS is empty",
+			Config: `{
+				"NetworkId": 1,
+				"DataDir": "/some/dir",
+				"KeyStoreDir": "/some/dir",
+				"BackupDisabledDataDir": "/some/dir"
+			}`,
+			CheckFunc: func(t *testing.T, config *params.NodeConfig) {
+				require.Equal(t, []string{"localhost"}, config.HTTPVirtualHosts)
+				require.Nil(t, config.HTTPCors)
+			},
+		},
+		{
+			Name: "Set HTTP virtual hosts and CORS",
+			Config: `{
+				"NetworkId": 1,
+				"DataDir": "/some/dir",
+				"KeyStoreDir": "/some/dir",
+				"BackupDisabledDataDir": "/some/dir",
+				"HTTPVirtualHosts": ["my.domain.com"],
+				"HTTPCors": ["http://my.domain.com:8080"]
+			}`,
+			CheckFunc: func(t *testing.T, config *params.NodeConfig) {
+				require.Equal(t, []string{"my.domain.com"}, config.HTTPVirtualHosts)
+				require.Equal(t, []string{"http://my.domain.com:8080"}, config.HTTPCors)
+			},
+		},
 	}
 
 	for _, tc := range testCases {