Skip to content

Simplify CORS checks and don't restrict host names. #7876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 19, 2023
Merged

Simplify CORS checks and don't restrict host names. #7876

merged 1 commit into from
Apr 19, 2023

Conversation

thess
Copy link

@thess thess commented Apr 18, 2023

Validate Origin/Host headers as follows:

  1. If No Origin: specified, then return OK
  2. If Origin: does not have http: scheme, treat as # 1 above
  3. If No Host given, and Origin: specified, return 403
  4. If both Host: and Origin: are specified, check for hostname match (including port #)
    Origin: is OK if same as Host: --> return Origin:, otherwise 403.
  5. Special debugging case allowed for Origin: equal "localhost" (ignoring port #)

See discussion in #7875 for rationale and details.

tannewt
tannewt approved these changes Apr 19, 2023
View reviewed changes
Copy link
Member

@tannewt tannewt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! Thank you!

@tannewt tannewt merged commit 09c2c5e into adafruit:main Apr 19, 2023
@tannewt tannewt mentioned this pull request Apr 20, 2023
Closed
@thess thess deleted the CORS-update branch April 22, 2023 17:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tannewt tannewt tannewt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thess @tannewt