Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

DefaultClientConfigurationValidator CORS validation failure with explicit use of port 80 and 443 #3453

Closed
scottbrady91 opened this issue Jul 19, 2019 · 1 comment
Closed

DefaultClientConfigurationValidator CORS validation failure with explicit use of port 80 and 443 #3453

scottbrady91 opened this issue Jul 19, 2019 · 1 comment
Labels
investigating

Comments

@scottbrady91
Copy link
Member

scottbrady91 commented Jul 19, 2019
edited
Loading

Issue

The string comparison approach for path detection in the ValidateAllowedCorsOriginsAsync method on DefaultClientConfigurationValidator does not account for origins explicitly stating port 80 (with http) and 443 (when using https). This is because the Uri parser normalises the URL.

https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/src/Validation/Default/DefaultClientConfigurationValidator.cs#L151

Normalization is good but is there a reason for paths being detected by string length comparison? Can I PR a different approach?

Relevant parts of the log file

AllowedCorsOrigins contains invalid origin: https://ids:443
@scottbrady91 scottbrady91 mentioned this issue Jul 25, 2019
Merged
@lock
Copy link

lock bot commented Jan 10, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
investigating
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leastprivilege @scottbrady91