Keep null origins from masquarding as "file://"

Browsers send null origins when an iframe contains html code for its source instead of a URL. This means that websites who used rack-cors and allowed "file://" were open to attacks from malicious pages that used this fact to send "null" origins.
cyu · Feb 15, 2017 · 80450a0 · 80450a0
1 parent be1d356
commit 80450a0
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 10 deletions.
diff --git a/lib/rack/cors.rb b/lib/rack/cors.rb
@@ -278,13 +278,11 @@ def public_resources?
         def allow_origin?(source,env = {})
           return true if public_resources?
 
-          effective_source = (source == 'null' ? 'file://' : source)
-
           return !! @origins.detect do |origin|
             if origin.is_a?(Proc)
               origin.call(source,env)
             else
-              origin === effective_source
+              origin === source
             end
           end
         end
@@ -323,7 +321,7 @@ def initialize(public_resource, path, opts={})
           else
             ensure_enum(opts[:methods]) || [:get]
           end.map{|e| e.to_s }
-          
+
           self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
         end
 

diff --git a/test/unit/cors_test.rb b/test/unit/cors_test.rb
@@ -256,12 +256,6 @@ def load_app(name)
       last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
     end
 
-    it 'should "null" origin, allowed as "file://", returned as "null" in header' do
-      preflight_request('null', '/')
-      should_render_cors_success
-      last_response.headers['Access-Control-Allow-Origin'].must_equal 'null'
-    end
-
     it 'should return "file://" as header with "file://" as origin' do
       preflight_request('file://', '/')
       should_render_cors_success