csrf icon indicating copy to clipboard operation
csrf copied to clipboard
verified publisher icon gorilla

[BUG] origin invalid when comparing allowed origins

Open clD11 opened this issue 7 months ago • 0 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Current Behavior

Is it intentional that we are comparing the parsed origin host against the slice of trusted origins opposed to comparing the parsed origin against the trusted origins?

For example, in the code below taken from here

			if !sameOrigin(&requestURL, parsedOrigin) && !slices.Contains(cs.opts.TrustedOrigins, parsedOrigin.Host) {
				r = envError(r, ErrBadOrigin)
				cs.opts.ErrorHandler.ServeHTTP(w, r)
				return
			}

compares the cs.opts.TrustedOrigins against the parsedOrigin.Host i.e. it drops the schema and if the list of trusted origins follows the pattern of Origin: <scheme>://<hostname> then this will fail. Also, the sameOrigin(&requestURL, parsedOrigin) checks the origin including the schema.

As far as I can see there is not mention that the list of trusted origins must drop the schema and this has caused some breakage moving to 1.7.3.

Expected Behavior

The !slices.Contains(cs.opts.TrustedOrigins, parsedOrigin.Host) would compare the full parsedOrigin against the trusted origins. For example, !slices.Contains(cs.opts.TrustedOrigins, parsedOrigin).

Steps To Reproduce

No response

Anything else?

No response

clD11 avatar May 30 '25 20:05 clD11