Port in host header makes a non-cors request considered a cors request

Create issue
Issue #36 resolved
Jacques-Etienne Beaudet created an issue

If you use this simple request :

curl -v -k 'https://someserver.com/somepath' -H 'Host: someserver.com:443' -H 'Origin: https://someserver.com'

It will get treated as a CORS request when it should not. The problem lies in the port being included in the Host header while it’s not present in the Origin header value. Exposing the port is valid even though it’s the default and could be omitted.

Comments (7)

  1. Vladimir Dzhuvinov

    Thanks for the report. I’ll see what test can be added to capture this bug and then patch it.

  2. Vladimir Dzhuvinov

    Added a test to verify that an explicit port in the Origin header will cause the request to get rejected when the config is not explicit as well: 7028a2c5c4e691eb30c27b9c6bc3704b14983123

    I played with curl a bit and noticed that the Host header has no effect on the HTTP request destination - you can try this out by plugging some other value.

    Also note that the Origin is something that gets reported and set by the browser. So the Origin header gets checked against the configured allowed origins, and Host, etc is not checked.

    Closing as invalid. If you think there's some other issue feel free to reopen.

  3. Jacques-Etienne Beaudet reporter

    To be clear, this doesn’t bypass any CORS check (allowed origins, method, etc.).

    It simply flags a request as CORSRequestType.ACTUAL instead of CORSRequestType.OTHER. This is a tad annoying because in my case, it will add the various CORS headers like Access-Control-Allow-Credentials even though it should not.

    The issues lies right here (sorry I could have been more precise in my original report) : https://bitbucket.org/thetransactioncompany/cors-filter/src/7028a2c5c4e691eb30c27b9c6bc3704b14983123/src/main/java/com/thetransactioncompany/cors/CORSRequestType.java#lines-54

    It fails the request.getHeader(HeaderName.HOST) != null && request.getHeader(HeaderName.ORIGIN).equals(serverOrigin) condition even though it should not.

  4. Log in to comment