Why run request handlers "successfully" if the request fails CORS? #109
Comments
|
This is how the CORS specification (http://www.w3.org/TR/cors/) is written. |
|
Essentially CORS is written as a form of "double-opt-in" such that a server that has no idea what CORS is is not vulnerable to anything. Your example route would still be vulnerable with a simple |
|
I forgot to mention, that if you do want to implement this, you can do so by passing a |
|
Thanks for the quick and thorough response @dougwilson. I don't see why you would want to "stop" at the CORS specification—what's the use of responding if the response can't be used?—but that's your call. Easy to fix in user-space / another package.
At least for my use case, the |
|
Hi @wearhere you were asking, technically why the default behavior was the way it was, which is that the default is closest to the specification. We provide mechanisms to differ from the spec as I provided above for your use-case, so I hope that helps. The CORS specification was never designed as a security mechanism to prevent routes from being called; it was only designed as a mechanism to allow a hole to be added to the cross-origin rules of browser user agents. The specification is designed such that a "CORS failure" should look exactly as if the server has no idea what CORS is--in which case the request will still go through. I would suggest bring this up to the W3C if you would like implementers to implement it differently, and I would be happy to do so; this really isn't the forum to get changes progressed through the specification :) |
|
Ah, @dougwilson your defaults make sense to me. What I wonder is, would you be open to a PR that added a setting to simplify the "have the cors({
// Modelled after `preflightContinue` / `optionsSuccessStatus`.
mismatchContinue: false, // defaults to `true`
mismatchStatus: 400 // the default
})and then if the origin didn't match (here, and if the origin failed some new checking here) and |
|
HI @wearhere sure, feel free to make that PR. I'm a little confused, because it won't even work for your use-case; a missing
Please be aware that this module supports all Node.js and not is Express-only, so you need to use only the Node.js API https://nodejs.org/dist/latest-v6.x/docs/api/http.html#http_class_http_serverresponse |
…tchContinue: false` This option enables this module to be used for basic CSRF protection as recommended by the OWASP: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_the_Origin_Header, while remaining strictly compatible with the CORS specification by default. When `mismatchComplete === false` and a request's origin header is either missing or not allowed, per the module's configuration, the middleware will terminate the request rather than execute the next handler. If `mismatchComplete` is any other value, the middleware will execute the next handler as before. When the middleware terminates the request, it does so with a 400 by default since https://httpstatuses.com/400 says that can be used for "deceptive request routing"; this status code is configurable with `mismatchStatus`. Fixes expressjs#109.
|
Here's my PR @dougwilson: #110 Thanks for your consideration! |
…ils to satisfy the CORS configuration, as enabled using the expressjs/cors module, the request will _not_ be rejected by Express. It will simply cause the CORS response header(s) to not be set on the response. As a result, a CORS-compliant browser will raise an error such as the following upon receipt of the response: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8082/v3/entry/gitlab/ihispanic/staticman-test/master/comments. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)." "The CORS specification was never designed as a security mechanism to prevent routes from being called; it was only designed as a mechanism to allow a hole to be added to the cross-origin rules of browser user agents." - expressjs/cors#109 (comment) In practice... - Using CORS to restrict the requesting origin would prevent another site from pointing their POST requests at my Staticman instance. But, if the submissions were high-quality, what reason would I have to complain? And low-quality submissions could just as easily come through via my site. Furthermore, those requests would still be processed by Staticman. - Using CORS to restrict the requesting origin would not prevent a truly malicious actor from submitted POST requests using a tool (e.g., Postman, etc.) that allows for the Origin header to be spoofed. Restricting POST requests to a Staticman instance, therefore, comes down to use of express-brute, Akismet, captchas, and the like.
If a request fails CORS as specified by this module's configuration, the module will not set the CORS headers on the response. However, it will still call
next, causing the usual request handler to run. This can be a problem if the request is expensive to handle, or has side effects.What is the thinking behind this? It seems reasonable to terminate the request immediately, or at least call
nextwith an error, if it's going to fail client-side due to the lack of CORS headers.Here is a small project demonstrating this issue: https://github.com/mixmaxhq/cors-response-tester.
The text was updated successfully, but these errors were encountered: