Add Kudu for Microsoft Azure to default whitelist

[kevinoid]

Attempting to access Advanced tools (Kudu) for an App Service (or Function running in an App Service) from the Azure Portal fails and lands on a page with "Error 403 - This web app is stopped." when Smart Referer is enabled with default settings.

The request chain is as follows:

302 GET https://appname.scm.azurewebsites.net/
200 GET https://login.microsoftonline.com/common/oauth2/authorize?...
403 POST https://waws-prod-bay-111.sso.azurewebsites.net/

Adding login.microsoftonline.com>*.sso.azurewebsites.net changes the request chain to:

302 GET https://appname.scm.azurewebsites.net/
200 GET https://login.microsoftonline.com/common/oauth2/authorize?...
200 POST https://waws-prod-bay-111.sso.azurewebsites.net/
403 POST https://appname.scm.azurewebsites.net/

Additionally adding *.sso.azurewebsites.net>*.scm.azurewebsites.net permits Kudu to open correctly.

As far as I know, *.sso.azurewebsites.net is only used as part of the sign-in process (Single Sign On) and *.scm.azurewebsites.net for hosting Kudu, so it should be reasonably safe for a default whitelist. However, I'm not an Azure expert or insider so there may be other uses I am unaware of.

Let me know if there is any additional information I can provide.

Thanks,
Kevin

[ntninja]

Thank you for your feedback! I've pushed a whitelist update with the rules you suggested – please test to make sure it works as expected:

1. Open the Add-ons page from the menu button on the toolbar
2. Select the entry named Extensions from the left-hand side of the add-on page
3. Click on the Settings button beneath Smart Referer in the extension list
4. Make sure the Use default whitelist option is checked under Whitelist Sources
5. Remove any custom Exception rules that may be related to this issue
6. Click on the Disable button towards to bottom of Smart Referer's extension page
7. Wait for Smart Referer to be disabled then click the Enable to re-enable button (this will force a whitelist update)
8. Check if your page is working now 🙂

Also, as an extra, could you also test whether these rules are required when using “Send nothing as a referer” instead of “Send the URL you're going to”. To do so please open the extension preferences again, change the value of Rewrite Mode to “Send nothing as a referer” and uncheck the “Use default whitelist” option, then test again. (You probably want to change these values back after testing.) You'd help me gather data on whether we want to change the default for this option to that value in the future (issue #113). Thanks for your help!

Feel free to close this issue if it works now!