SecurityHeadersMiddleware icon indicating copy to clipboard operation
SecurityHeadersMiddleware copied to clipboard

Published 20 hours ago verified publisher icon StefanOssendorf

AntiClickjacking Origins checks RequestUri

Open jmvermeulen opened this issue 10 years ago • 10 comments

This code check if the requestUri is in the orgins, but the requestUri is'nt the iFrame host. Instead it's the current url, ofcourse this never works to allow a extern orgin.

private static string DetermineValue(Uri[] origins, Uri requestUri) { Uri uri = Array.Find(origins, u => Rfc6454Utility.HasSameOrigin(u, requestUri)); return uri == null ? "DENY" : "ALLOW-FROM {0}".FormatWith(Rfc6454Utility.SerializeOrigin(uri)); }

jmvermeulen avatar Dec 10 '14 11:12 jmvermeulen

Thank you!

I worry that my inteded functionality doesn't work :( After some research I can only get the remote IP address and not the remote URL.

Either I have to map between an IP address and an origin or I can introduce an custom header to get the remote URL. Mhm... Crap!

@damianh

Any suggestions to this?

StefanOssendorf avatar Dec 10 '14 21:12 StefanOssendorf

Can you read the referral url? It isn't rock solid, but could be an option.

At this stage the AntiClickjacking feature is only able to disallow, not white-listing. A removal of the dynamic implementation makes white-listing for one domain possible.

jmvermeulen avatar Dec 11 '14 18:12 jmvermeulen

I thought I can extend the spec, which only allows one domain. Sad :/

I'm not sure if the OWIN spec contains an referrer url.

StefanOssendorf avatar Dec 11 '14 18:12 StefanOssendorf

Are we talking about HTTP Refer header? owin spec doesnt (and never will) have anything to do with specific headers, just a header dictionary On 11 Dec 2014 19:31, "Stefan Ossendorf" [email protected] wrote:

I thought I can extend the spec, which only allows one domain. Sad :/

I'm not sure if the OWIN spec contains an referrer url.

— Reply to this email directly or view it on GitHub https://github.com/StefanOssendorf/SecurityHeadersMiddleware/issues/4#issuecomment-66665144 .

damianh avatar Dec 11 '14 20:12 damianh

Yeah I was really wrong. Thought there is something equal to remoteIP.

StefanOssendorf avatar Dec 11 '14 20:12 StefanOssendorf

There is a server.RemoteIpAddress http://owin.org/spec/spec/CommonKeys.html ; afaik all hosts support this, except perhaps TestServer ( it is easy to fake) On 11 Dec 2014 21:17, "Stefan Ossendorf" [email protected] wrote:

Yeah I was really wrong. Thought there is something equal to remoteIP.

— Reply to this email directly or view it on GitHub https://github.com/StefanOssendorf/SecurityHeadersMiddleware/issues/4#issuecomment-66681390 .

damianh avatar Dec 11 '14 20:12 damianh

Yeah right. I hoped there is a similiar key with RemoteUrlAddress or something like that. Thanks for your answer :-)

StefanOssendorf avatar Dec 11 '14 20:12 StefanOssendorf

What is a 'RemoteUrlAddress'? clients are not normally addressable / connectable. If you mean 'remote host' you'll have to reverse dns lookup the remote ip address. This has a cost and not all (most) IPs have will have a host name. On 11 Dec 2014 21:22, "Stefan Ossendorf" [email protected] wrote:

Yeah right. I hoped there is a similiar key ith RemoteUrlAddress or something like that. Thanks for your answer :-)

— Reply to this email directly or view it on GitHub https://github.com/StefanOssendorf/SecurityHeadersMiddleware/issues/4#issuecomment-66682188 .

damianh avatar Dec 11 '14 20:12 damianh

Yes, remote host. Sorry ^^"

StefanOssendorf avatar Dec 11 '14 20:12 StefanOssendorf

Yeah reverse DNS so. You couldn't trust a client to give you the correct value anyway. On 11 Dec 2014 21:36, "Stefan Ossendorf" [email protected] wrote:

Yes, remote host. Sorry ^^"

— Reply to this email directly or view it on GitHub https://github.com/StefanOssendorf/SecurityHeadersMiddleware/issues/4#issuecomment-66684238 .

damianh avatar Dec 11 '14 20:12 damianh