New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check scheme in WebUtils#isSameOrigin [SPR-16362] #20909

Closed
spring-issuemaster opened this Issue Jan 9, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

spring-issuemaster commented Jan 9, 2018

Sébastien Deleuze opened SPR-16362 and commented

CORS specification specifies that "an origin is composed of only the scheme, hostname, and port", but WebUtils#isSameOrigin currently only checks hostname and port.

Based on my current understanding, the main way to trigger an incorrect behavior with current implementation is to send a request from http://domain.com to https://domain.com or the other way around. Based on the spec, it should be detected by the browser as a cross origin request but won't be understood as such by our implementation, skipping CORS checks and CORS response header processing, resulting of such HTTP exchange being rejected by the browser due to the lack of CORS response headers.

Note that performing a check on the scheme should be done very carefully in that context because it could have some unexpected side effects given that:

  • Unlike the Origin one, the Host header does not contain the scheme information (for example Host: domain.com)
  • Chrome and Safari includes the Origin header for some same origin requests, making such change on WebUtils#isSameOrigin risky.

Issue Links:

  • #20809 spring-web CORS requires X-Forwarded-Port

Referenced from: commits 896eb56

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment