Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should isSameOrigin in AbstractCORSPolicy really use request.secure to determine http vs https? #10928

Open
twrichards opened this issue Jul 15, 2021 · 2 comments
Open

Should isSameOrigin in AbstractCORSPolicy really use request.secure to determine http vs https? #10928

twrichards opened this issue Jul 15, 2021 · 2 comments

Comments

@twrichards
Copy link

twrichards commented Jul 15, 2021
edited

As you can see in...

playframework/web/play-filters-helpers/src/main/scala/play/filters/cors/AbstractCORSPolicy.scala

Line 315 in 53e55f0

val originUri = new URI((if (request.secure) "https://" else "http://") + request.host.toLowerCase(Locale.ENGLISH))

... the AbstractCORSPolicy is using request.secure to determine whether to compare the scheme/protocol of the Origin header with http or https.

request.secure is determined by a variety of things (including trustedProxies - see #5829) and so the request could legitimately be made via https from the client, yet not be considered the same origin because request.secure is false. For example if it goes via a proxy (nginx locally, AWS ELB etc) the isSameOrigin function is considering it to have gone over http, and as such one must https://www.playframework.com/documentation/2.8.x/HTTPServer#Trusting-all-proxies which seems overly permissive.

As a side note (which doesn't affect the output of the function), I think the variable names are also the wrong way round...

playframework/web/play-filters-helpers/src/main/scala/play/filters/cors/AbstractCORSPolicy.scala

Lines 314 to 316 in 53e55f0

val hostUri = new URI(origin.toLowerCase(Locale.ENGLISH))
val originUri = new URI((if (request.secure) "https://" else "http://") + request.host.toLowerCase(Locale.ENGLISH))
(hostUri.getScheme, hostUri.getHost, hostUri.getPort) == (originUri.getScheme, originUri.getHost, originUri.getPort)

... note how hostUri is created from the Origin header value and originUri is being built from the request.host.
@twrichards
Copy link
Author

Here's an example, we have the debugger stopped inside isSameOrigin...
image
(NOTE: the 403 is caused by this CORS filter - because isSameOrigin returns false when it should be true - as they're most def. the same origin)

@gmethvin gmethvin mentioned this issue Sep 30, 2021
Merged
@gmethvin
Copy link
Member

gmethvin commented Sep 30, 2021
edited

How else could Play determine the protocol for the request? Unfortunately this is a challenging problem to solve in a secure way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gmethvin @twrichards