Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: 403 for localhost http host and cors any #8524

Merged
merged 1 commit into from Dec 22, 2022
Merged

fix: 403 for localhost http host and cors any #8524

merged 1 commit into from Dec 22, 2022

Conversation

sdelamo
Copy link
Collaborator

@sdelamo sdelamo commented Dec 22, 2022

A malicious/compromised website can make HTTP requests to localhost. Typically, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check.

This PR changes the CORS filter to return 403 if the host is localhost and the cors is set to any, which is the default if you set:

micronaut.server.cors.enabled=true

@sdelamo
fix: 403 for localhost http host and cors any
57039f2 
A malicious/compromised website can make HTTP requests to localhost. Typically, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check.

This PR changes the CORS filter to return 403 if the host is localhost and the cors is set to any, which is the default if you set:

micronaut.server.cors.enabled=true
@sdelamo sdelamo requested a review from yawkat December 22, 2022 16:01
@sonarcloud
Copy link

sonarcloud bot commented Dec 22, 2022

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 2 Code Smells

89.3% 89.3% Coverage
0.0% 0.0% Duplication

@sdelamo sdelamo merged commit d849010 into 3.8.x Dec 22, 2022
@sdelamo sdelamo deleted the cors-localhost-attacks branch December 22, 2022 20:00
@sdelamo sdelamo mentioned this pull request Jan 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yawkat yawkat yawkat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sdelamo @yawkat