Bug with same origin check behind reverse proxies/load balancers etc. #1363

Closed
davidfowl opened this Issue Jan 17, 2013 · 1 comment

Projects

None yet

2 participants

@davidfowl
Member

Found while testing signalr on appharbor. The same origin check is failing for normal requests. This is because we have bad url parsing logic in ServerRequest.Owin, in particular:

https://github.com/SignalR/SignalR/blob/release/src/Microsoft.AspNet.SignalR.Owin/ServerRequest.Owin.cs#L139

The request port should be 80 or 443 if a host header is defined but there's no port as part of the host header.

You can observe the effects here:

http://owindump.apphb.com/env

Doesn't happen on windows azure websites (the port is 80):

http://owintest.azurewebsites.net/env

@davidfowl davidfowl was assigned Jan 17, 2013
@davidfowl davidfowl added a commit that referenced this issue Jan 17, 2013
@davidfowl davidfowl Fixed issue with detecting which port to use.
- Always use the default port if the host header exists but there's no
  port.

#1363
efc61f5
@Xiaohongt
Contributor

verified

@Xiaohongt Xiaohongt closed this Jan 18, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment