Treat a literal "null" Origin like a missing Origin#208
Closed
c-tonneslan wants to merge 1 commit into
Closed
Conversation
Per RFC 6454 §7.3 user agents must send Origin: null from privacy-sensitive contexts (sandboxed iframes, file://, etc.). The opaque value can't be checked against an allowlist, so trying to compare it short-circuits the request with ErrBadOrigin even when the regular Referer-based check would otherwise accept it. Fall through to the existing Referer logic when Origin is "null". For TLS requests that still demands a valid Referer, so the security posture is unchanged. Closes gorilla#205 Signed-off-by: Charlie Tonneslan <cst0520@gmail.com>
Author
|
Closing in favor of #207 which I already had open for the same issue. Sorry for the duplicate. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #205. Per RFC 6454 §7.3, user agents must send
Origin: nullfrom privacy-sensitive contexts (sandboxed iframes,file://, redirects fromdata:URLs, etc.). The opaque value can't be checked against an allowlist, so the current code returnsErrBadOrigineven when the regular Referer-based check would otherwise accept the request.This treats
Origin: nulllike a missingOriginheader: skip the origin allowlist check and let the existing Referer logic decide. For TLS requests that still demands a valid Referer (since theorigin == "" && !isPlaintextblock runs), so the security posture is unchanged.Added a regression test covering both the cleartext-passes and TLS-no-referer-rejects paths.
Closes #205