Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent insecure CORS configurations #142

Merged
merged 5 commits into from Jul 15, 2017
Merged

Prevent insecure CORS configurations #142

merged 5 commits into from Jul 15, 2017

Conversation

peret
Copy link
Contributor

@peret peret commented Jul 13, 2017

This PR fixes #126.
Main changes:

  • Specifying a wildcard origin in combination with 'allow credentials' isn't allowed anymore.
  • credentials defaults to true iff the specified origin is not the wildcard.
  • Origin mirroring only occurs if no origin wildcard was used.

cyu and others added 5 commits June 13, 2017 07:39
@cyu
Move Rails 5 example ahead of Rails 3/4 example
ec5522e 
And small updates to Rails configuration
Prevent insecure configuration.
1cb59ce 
* Don't mirror origin when Access-Control-Allow-Credentials is true.
* Prevent users from enabling wildcard origins with credentials.
Add message to the CorsMisconfigurationError.
ece6302
Modify tests to expect wildcard origin header.
aa1599b
Add two regression tests for insecure CORS configurations.
95d09d4
@cyu cyu changed the base branch from master to 1.0-unstable July 15, 2017 14:01
@cyu cyu merged commit 8de292d into cyu:1.0-unstable Jul 15, 2017
Mr0grog added a commit to edgi-govdata-archiving/web-monitoring-db that referenced this pull request Aug 20, 2017
@Mr0grog
HOTFIX: reflect origin headers to allow auth
ad560ad 
I broke remote authentication in e70230a. An upgrade to rack-cors changed the behavior of `origins '*'`
such that it now does not reflect the request's origin and instead actually sends '*' for the allowed origins header. That means authentication on our requests fails :(

See this change in rack-cors: cyu/rack-cors#142

We needed this behavior initially because it seemed like `Authorization` headers in our requests were getting stripped, but it seems like this may no longer be true. That needs more testing, though. For now, force rack-cors to return to its earlier behavior.

 Please enter the commit message for your changes. Lines starting
@Mr0grog Mr0grog mentioned this pull request Aug 20, 2017
Merged
Mr0grog added a commit to edgi-govdata-archiving/web-monitoring-db that referenced this pull request Aug 20, 2017
@Mr0grog
HOTFIX: reflect origin headers to allow auth
8e6fb57 
I broke remote authentication in e70230a. An upgrade to rack-cors changed the behavior of `origins '*'`
such that it now does not reflect the request's origin and instead actually sends '*' for the allowed origins header. That means authentication on our requests fails :(

See this change in rack-cors: cyu/rack-cors#142

We needed this behavior initially because it seemed like `Authorization` headers in our requests were getting stripped, but it seems like this may no longer be true. That needs more testing, though. For now, force rack-cors to return to its earlier behavior.

 Please enter the commit message for your changes. Lines starting
@itzsaga itzsaga mentioned this pull request May 12, 2020
Merged
@dependabot dependabot bot mentioned this pull request Mar 13, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@peret @cyu