Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add warnings for CORS policies #15258

Merged
merged 9 commits into from
Feb 17, 2024
Merged

Add warnings for CORS policies #15258

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
5d9354d
Add warnings for CORS policies when if both "AllowAnyOrigin" and "All…
giannik Feb 5, 2024
e8e4901
Update src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminCont…
giannik Feb 13, 2024
5496035
Update src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminCont…
giannik Feb 13, 2024
e2c7746
Update src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminCont…
giannik Feb 13, 2024
4090094
Merge branch 'OrchardCMS:main' into cors-policy-warnings
giannik Feb 13, 2024
7ebe6ae
merge notifier message
giannik Feb 13, 2024
60ddc26
Update src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminCont…
MikeAlhayek Feb 13, 2024
7ee000c
Update src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminCont…
MikeAlhayek Feb 13, 2024
147bfe3
Update AdminController.cs
MikeAlhayek Feb 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,11 @@ public async Task<ActionResult> IndexPOST()

var corsPolicies = new List<CorsPolicySetting>();

//For each policy check the following validation rule :
//If allow origin and allow credentials are both true create a warning message that cors will not work .
//Warn user.
giannik marked this conversation as resolved.
Show resolved Hide resolved
var policyWarnings = new List<string>();

foreach (var settingViewModel in model.Policies)
{
corsPolicies.Add(new CorsPolicySetting
Expand All @@ -112,8 +117,11 @@ public async Task<ActionResult> IndexPOST()
IsDefaultPolicy = settingViewModel.IsDefaultPolicy

});
if (settingViewModel.AllowAnyOrigin && settingViewModel.AllowCredentials)
giannik marked this conversation as resolved.
Show resolved Hide resolved
{
policyWarnings.Add($"{settingViewModel.Name}");
MikeAlhayek marked this conversation as resolved.
Show resolved Hide resolved
}
}

var corsSettings = new CorsSettings()
{
Policies = corsPolicies
Expand All @@ -124,6 +132,14 @@ public async Task<ActionResult> IndexPOST()
await _shellHost.ReleaseShellContextAsync(_shellSettings);

await _notifier.SuccessAsync(H["The CORS settings have updated successfully."]);
if (policyWarnings.Any())
giannik marked this conversation as resolved.
Show resolved Hide resolved
{
var warning1 = "Specifying AllowAnyOrigin and AllowCredentials is an insecure configuration and can result in cross-site request forgery. The CORS service returns an invalid CORS response when an app is configured with both methods.";
giannik marked this conversation as resolved.
Show resolved Hide resolved
var warning2 = "<strong>Affected policies: " + string.Join(", ", policyWarnings) + "</strong>";
var warning3 = "Refer to docs:<a href='https://learn.microsoft.com/en-us/aspnet/core/security/cors' target='_blank'>https://learn.microsoft.com/en-us/aspnet/core/security/cors</a>";
var allWarnings = $"{warning1}<br />{warning2}<br />{warning3}";
await _notifier.WarningAsync(H[allWarnings]);
}

return View(model);
}
Expand Down
Loading