disable "null" cors origin

This is impossible to secure properly and Tor users can report origin by setting network.http.referer.hideOnionSource to false Thanks Kamil Vavra for the report!
trezor · Nov 4, 2020 · ddead55 · ddead55
1 parent a29dfe1
commit ddead55
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 12 deletions.
diff --git a/server/api/api.go b/server/api/api.go
@@ -254,12 +254,6 @@ func corsValidator() (OriginValidator, error) {
 	}
 
 	v := func(origin string) bool {
-		// * Electron
-		// * Tor Browser when `network.http.referer.hideOnionSource` is set to `true` (default)
-		if origin == "null" {
-			return true
-		}
-
 		if trezorRegex.MatchString(origin) {
 			return true
 		}

diff --git a/server/api/api_test.go b/server/api/api_test.go
@@ -10,8 +10,6 @@ func TestOriginValidator(t *testing.T) {
 		origin string
 		allow  bool
 	}{
-		// `null` should be allowed
-		{"null", true},
 		// HTTPS for trezor.io should be allowed
 		{"https://trezor.io", true},
 		{"https://foo.trezor.io", true},

diff --git a/server/api/cors.go b/server/api/cors.go
@@ -61,10 +61,6 @@ func (ch *cors) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if origin == "null" {
-		origin = "*"
-	}
-
 	w.Header().Set(corsAllowOriginHeader, origin)
 
 	if r.Method == corsOptionMethod {