Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS security: reflecting any origin header value when configured to * is dangerous #55

Closed
chenjj opened this issue May 12, 2018 · 6 comments
Closed

CORS security: reflecting any origin header value when configured to * is dangerous #55

chenjj opened this issue May 12, 2018 · 6 comments

Comments

@chenjj
Copy link

chenjj commented May 12, 2018
edited
Loading

When CORS policy is configured to origin:"*", current go CORS handler will actively convert it to reflect any Origin header value. This kind of behavior is dangerous and has caused many security problems in the past.

Some similar security issues:
cyu/rack-cors#126
https://nodesecurity.io/advisories/148

Some related blog posts:
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
https://ejj.io/misconfigured-cors/
@rs
Copy link
Owner

rs commented May 14, 2018

This is only the case when allow credential is enabled, which is not the default. What change would you expect?

@chenjj
Copy link
Author

chenjj commented May 14, 2018

Hi Olivier, thanks for your reply.

Yeah, setting credentials to false by default can reduce misconfigurations, but the point I want to say here is that, converting Origin: * and Credentials: true to origin reflection is insecure and incompatible with CORS standards.

Current CORS standards(both W3C CORS and WHATWG fetch standard) have a clear definition for the wildcard *, which means any domain is allowed. But they also have another important security requirement: Origin: * and Credentials: true cannot be used at the same time, to avoid overly loose permissions. Currently all browsers follow this requirement to disallow this configuration combination.

If a framework actively converts * to reflect any origin header value, it means Origin: * and Credentials: true can be used at the same time. This behavior leads to CORS protocol's security design to be bypassed, causing many misconfiguration security problems.

Therefore, I suggest frameworks to follow the standard definition of *. When a user configures Origin:*, frameworks just directly returns Access-control-Allow-Access: *. When a user configures both Origin:* and Credentials: true , frameworks should warn users that this is a misconfiguration because browsers will not accept this combination.

@chenjj
Copy link
Author

chenjj commented May 17, 2018

FYI, here are some more similar issues:
Yii2 framework, yiisoft/yii2#16193
Tomcat CORSFilter, CVE-2018-8014, https://bz.apache.org/bugzilla/show_bug.cgi?id=62343

rs added a commit that referenced this issue May 18, 2018
@rs
Add a warning when allowCredentials is used with wildcard origin
5824a56 
Fixes: #55
@rs rs mentioned this issue May 18, 2018
Merged
@rs
Copy link
Owner

rs commented May 18, 2018

Please see #56

@chenjj chenjj mentioned this issue May 18, 2018
Closed
@rs
Copy link
Owner

rs commented May 23, 2018

@chenjj any feedback?

@chenjj
Copy link
Author

chenjj commented May 24, 2018

Looks good, thanks!

@chenjj chenjj closed this as completed May 24, 2018
rs added a commit that referenced this issue May 24, 2018
@rs
Add a warning when allowCredentials is used with wildcard origin (#56)
694cf2a 
Fixes: #55
@ejcx ejcx mentioned this issue Jul 25, 2018
Merged
@taik0 taik0 mentioned this issue Nov 1, 2019
Closed
wildsurfer added a commit to postgrest-oauth/api that referenced this issue Dec 2, 2019
@wildsurfer
Better CORS security
e13d4cf 
rs/cors#55
@SyntaxNode SyntaxNode mentioned this issue Feb 24, 2020
Closed
itsjamie added a commit to itsjamie/gin-cors that referenced this issue Feb 28, 2022
@itsjamie
Prevent reflection of Origin header
c1b42ad 
rs/cors#55
This was referenced Feb 17, 2023
Closed
Closed
@KenJPH KenJPH mentioned this issue May 25, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rs @chenjj