Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No effective CORS origin restriction in the API #3601

tuxpiper opened this issue Jul 1, 2019 · 0 comments


None yet
1 participant
Copy link

commented Jul 1, 2019

Describe the bug
Currently, CORS pre-flight requests to the API are responded always affirmatively, as in: the Origin header provided in the request is copied into the list of allowed origins. As a result, any origin is a good origin.

Our current default, and only obvious setup option, is not to have effective CORS origin restrictions, which opens up attack vectors in the browser, targeting any deployment.

For someone that would like to tighten their setup, we provide no obvious immediate way to enable effective CORS restrictions.

Where was the bug observed
Any recent deployment

To Reproduce
Steps to reproduce the behavior:

  1. Open a deployment in a browser with the network tab of developer tools open
  2. Copy any of the OPTIONS requests as a curl command
  3. Paste the curl command in the terminal, modify the Origin header sent in the request
  4. Observe how magically the response adapts to the modified Origin.

Expected behavior
By default, the API should be configured to only accept as Origin the corresponding platform-client web application domain.

There could be easy documented ways of :

  • adding additional allowed origins
  • switching this protection off, allowing all domains (maybe with a more explicit "*" value)

Is there a workaround? What is it.


URL / Environment where this happened
This affects SaaS and any deployment of this software (unless the system administrator has added configuration in the webserver to override this behavior)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.