Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow same-origin requests #105

Merged
merged 1 commit into from
Jun 11, 2019
Merged

Allow same-origin requests #105

merged 1 commit into from
Jun 11, 2019

Conversation

silasdavis
Copy link
Contributor

@silasdavis silasdavis commented May 31, 2019
edited

By infering domain from Referer header iff Origin header is missing.

Some browser (e.g. Firefox) do not send Origin header for same origin requests. Since we implicitly rely on browser to add the header for any cross-origins requests we ought to similarly be able to infer that it is not a cross-origin request when the Origin header is missing. This encodes that assumption and as suggested in #67 uses the Referer header to observe the same origin in question. We fail if the Referer header is missing and we only ever consider the Referer header if the Origin header is missing.

Closes #67.

Signed-off-by: Silas Davis silas@monax.io

@silasdavis silasdavis mentioned this pull request May 31, 2019
Closed
@coveralls
Copy link

coveralls commented May 31, 2019
edited

Coverage Status

Coverage increased (+0.07%) to 77.433% when pulling 84d931e on silasdavis:allow-same-origin into aabc601 on keratin:master.

cainlevy
cainlevy requested changes Jun 1, 2019
View reviewed changes
Copy link
Member

@cainlevy cainlevy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice and thorough tests.

would you add a changelog entry?

lib/route/origin_security_test.go Outdated Show resolved Hide resolved
@silasdavis
Allow same-origin requests by infering domain from Referer header iff
84d931e 
Origin header is missing.

Closes keratin#67.

Signed-off-by: Silas Davis <silas@monax.io>
@silasdavis
Copy link
Contributor Author

Pulled out some assertions from loop and added to changelog

@cainlevy cainlevy merged commit 9db59ec into keratin:master Jun 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cainlevy cainlevy cainlevy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CORS issue with same-origin deployment
3 participants
@silasdavis @coveralls @cainlevy