You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
... the AbstractCORSPolicy is using request.secure to determine whether to compare the scheme/protocol of the Origin header with http or https.
request.secure is determined by a variety of things (including trustedProxies - see #5829) and so the request could legitimately be made via https from the client, yet not be considered the same origin because request.secure is false. For example if it goes via a proxy (nginx locally, AWS ELB etc) the isSameOrigin function is considering it to have gone over http, and as such one must https://www.playframework.com/documentation/2.8.x/HTTPServer#Trusting-all-proxies which seems overly permissive.
As a side note (which doesn't affect the output of the function), I think the variable names are also the wrong way round...
Here's an example, we have the debugger stopped inside isSameOrigin...
(NOTE: the 403 is caused by this CORS filter - because isSameOrigin returns false when it should be true - as they're most def. the same origin)
As you can see in...
playframework/web/play-filters-helpers/src/main/scala/play/filters/cors/AbstractCORSPolicy.scala
Line 315 in 53e55f0
... the
AbstractCORSPolicy
is usingrequest.secure
to determine whether to compare the scheme/protocol of theOrigin
header withhttp
orhttps
.request.secure
is determined by a variety of things (includingtrustedProxies
- see #5829) and so the request could legitimately be made via https from the client, yet not be considered the same origin because request.secure is false. For example if it goes via a proxy (nginx locally, AWS ELB etc) theisSameOrigin
function is considering it to have gone over http, and as such one must https://www.playframework.com/documentation/2.8.x/HTTPServer#Trusting-all-proxies which seems overly permissive.As a side note (which doesn't affect the output of the function), I think the variable names are also the wrong way round...
playframework/web/play-filters-helpers/src/main/scala/play/filters/cors/AbstractCORSPolicy.scala
Lines 314 to 316 in 53e55f0
... note how
hostUri
is created from the Origin header value andoriginUri
is being built from therequest.host
.The text was updated successfully, but these errors were encountered: