Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BGDIINF_SB-2420: Fixed browser origin validation and CORS - #patch #47

Merged
merged 1 commit into from
Jun 9, 2022
Merged

BGDIINF_SB-2420: Fixed browser origin validation and CORS - #patch #47

merged 1 commit into from
Jun 9, 2022

Conversation

ltshb
Copy link
Contributor

@ltshb ltshb commented Jun 9, 2022

The browser doesn't add the origin header when the request is made from the
same origin. However it does always send the 'Sec-Fetch-Site' header telling
if the request is from the same origin, cross origin or from user.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site.
Unfortunately this 'Sec-Fetch-Site' header is not supported by Safari !
Moreover we cannot hack the web application to always set the Origin header as
most browser don't allow it.

So we need to check 2 headers: Sec-Fetch-Site and Origin with a fallback to the
Referer for Safari.

Although this is usually not an issue for shortlink as it is always used from a
different origin, the code has been corrected for completeness and consistency
with other services.

Also to have the correct CORS header in case of same origin we need to add the
correct allowed origin in CORS header which is the same as the request. In case
of cross-site then we use the Origin header as allowed origin in CORS. In case
where the Origin header is not allowed, we use the request domain as
Access-Control-Allow-Origin header.

In case of redirect, the Access-Control-Allow-Origin header was not set
if the origin was not from the allowed origin. Now this header in case of
redirect is always set to * which tell the client that all origins are
allowed for the redirect request.

@ltshb ltshb requested a review from hansmannj June 9, 2022 06:27
@github-actions github-actions bot added the bug label Jun 9, 2022
@ltshb
BGDIINF_SB-2420: Fixed browser origin validation and CORS - #patch
d988ba5 
The browser doesn't add the origin header when the request is made from the
same origin. However it does always send the 'Sec-Fetch-Site' header telling
if the request is from the same origin, cross origin or from user.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site.
Unfortunately this 'Sec-Fetch-Site' header is not supported by Safari !
Moreover we cannot hack the web application to always set the Origin header as
most browser don't allow it.

So we need to check 2 headers: Sec-Fetch-Site and Origin with a fallback to the
Referer for Safari.

Although this is usually not an issue for shortlink as it is always used from a
different origin, the code has been corrected for completeness and consistency
with other services.

Also to have the correct CORS header in case of same origin we need to add the
correct allowed origin in CORS header which is the same as the request. In case
of cross-site then we use the Origin header as allowed origin in CORS. In case
where the Origin header is not allowed, we use the request domain as
Access-Control-Allow-Origin header.

In case of redirect, the `Access-Control-Allow-Origin` header was not set
if the origin was not from the allowed origin. Now this header in case of
redirect is always set to `*` which tell the client that all origins are
allowed for the redirect request.
@ltshb ltshb force-pushed the bug-BGDIINF_SB-2420-origin-header branch from d0efe5e to d988ba5 Compare June 9, 2022 08:57
@ltshb ltshb requested a review from pakb June 9, 2022 12:05
hansmannj
hansmannj reviewed Jun 9, 2022
View reviewed changes
Copy link
Member

@hansmannj hansmannj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll have a deeper look at this PR soon.
After a quick look: @pakb could this also help with the origin header problem with service-icons? Seems so at a first glance..

@pakb
Copy link

pakb commented Jun 9, 2022

I'll have a deeper look at this PR soon. After a quick look: @pakb could this also help with the origin header problem with service-icons? Seems so at a first glance..

Yes that is related, we have some issue with headers that we try to solve on the backend side

pakb
pakb approved these changes Jun 9, 2022
View reviewed changes
tests/unit_tests/test_routes.py
{'Sec-Fetch-Site': 'none'},
{'Sec-Fetch-Site': 'cross-site'},
)
def test_get_shortlink_redirect_origin_allowed(self, headers):
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be useful to also add a test to cover a redirect with wrong headers?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

redirect should always be allowed and in this test I think I cover almost all possible headers including regular allowed and also non allowed header for the create.

@ltshb ltshb merged commit a7e7379 into develop Jun 9, 2022
@ltshb ltshb deleted the bug-BGDIINF_SB-2420-origin-header branch June 9, 2022 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hansmannj hansmannj hansmannj left review comments

@pakb pakb pakb approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ltshb @pakb @hansmannj