-
Notifications
You must be signed in to change notification settings - Fork 262
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keep null origins from masquarding as "file://" #134
Conversation
Browsers send null origins when an iframe contains html code for its source instead of a URL. This means that websites who used rack-cors and allowed "file://" were open to attacks from malicious pages that used this fact to send "null" origins.
@bfad I'm trying to figure out what is the best way to approach this. As of 2/11/2017, of the browsers I tested, only Safari returns I know people rely on Isn't allowing Let me know what you think – I would like to figure out an acceptable solution for this. I'm leaning towards just throwing a stern warning right now. |
@cyu I need the <html>
<body>
<iframe src="data:text/html,<script> var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { alert(xhr.responseText); } }; xhr.open('GET', 'https://example.com/path', true); xhr.withCredentials = 'true'; xhr.send(null);</script>"></iframe>
</body>
</html> I can work around the problem by using a |
To reply to the edits you made in your original comment:
If I'm an attacker, I think it's much easier to get a person to visit a website with an The other problem with treating a My suggestion is to accept my pull request, and then document the browser differences with respect to origins while warning people against allowing |
@bfad I see your point – I was thinking about it from the perspective of an individual attack. And I agree about the unexpectedness problem – that to me is a more compelling reason than the former. |
Thanks! |
I think there's an inadvertent problem that's been created by this. Right now, even if I put my allowed origins as "*", a request with an Origin header of "null" (e.g. from a Firefox extension content script) fails with a 422 Unprocessable Entity. I believe that's because of this in Rails: https://github.com/rails/rails/pull/30780/files Before, rack-cors was altering the Origin to be "file://", which stopped that 422 from occurring. Now, rack-cors doesn't change it from "null", so it gets blocked by Rails. Ran into this problem a few months ago when our project upgraded rack-cors. |
Browsers send null origins when an iframe contains html code for its
source instead of a URL. This means that websites who used rack-cors and
allowed "file://" were open to attacks from malicious pages that used
this fact to send "null" origins.