Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore trailing slash in CorsConfiguration origin patterns #26892

Closed
korektur opened this issue May 4, 2021 · 4 comments
Closed

Ignore trailing slash in CorsConfiguration origin patterns #26892

korektur opened this issue May 4, 2021 · 4 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
5.3.7

Comments

@korektur
Copy link
Contributor

korektur commented May 4, 2021
edited
Loading

Affects: v5.3.6

It's connected to #24763 - CorsConfiguration based on pattern matching.
While feature itself works really well, I found few corner cases where it's difficult to configure such patterns because of limitations that current pattern syntax provides.

  1. Sometimes origin contains a trailing slash. I think https://*.company.domain should match both https://test.company.domain and https://test.company.domain/. One workaround would be to add two different patterns, one with trailing slash and one without.
  2. Origins could contain port numbers. Currently it's impossible to support generic port with current syntax. As https://*.company.domain* could match https://test.company.domain:80 as well as https://test.company.domain.some.other.domain which is not what intended. Workaround here can be also creating two origins patterns: https://*.company.domain and https://*.company.domain:*.
  3. Would be nice to have possibility to support both http and https in a single pattern.

While there are workarounds as mentioned before, I think this should be supported out of the box (at least 1 & 2). What's more if you want to support 1 & 2 right now you would effectively either would need to create 4 different patterns or if you know how this is working inside spring you would end up with following pattern in your configuration: https://*.company.domain\\E\(:\\d+)?/?\\Q. Which is probably not the best approach either.

I see two possible solutions:

  1. When doing pattern matching against request origin remove trailing slash and port from it and do pattern matching just on host or schema+host
  2. Extend existing pattern syntax, so that it allows to configure patterns with generic port and optional trailing slash.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label May 4, 2021
@rstoyanchev
Copy link
Contributor

We already ignore any trailing slash in CorsUtils.isCorsRequest where we match only scheme, host, and port. We should also be ignoring it for the actual check against allowed origins. This is something we can fix.

The port number cannot be ignored by default as it is part of what defines a cross-domain request. We can enhance the pattern syntax, maybe a comma separated list of ports or a wildcard:

https://*.example.com:[8080]
https://*.example.com:[8080,9000]
https://*.example.com:[*]

/cc @sdeleuze, @rwinch

@rstoyanchev rstoyanchev self-assigned this May 7, 2021
@rstoyanchev rstoyanchev added in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels May 7, 2021
@rstoyanchev rstoyanchev added this to the 5.3.7 milestone May 7, 2021
@rstoyanchev rstoyanchev changed the title Extending syntax for CorsConfiguration origin patterns Support for trailing slash and port number in CorsConfiguration origin patterns May 7, 2021
rstoyanchev added a commit that referenced this issue May 7, 2021
@rstoyanchev
Ignore trailing slash in Origin header
dddcc5e 
See gh-26892
@korektur
Copy link
Contributor Author

korektur commented May 8, 2021
edited
Loading

Yeah, that actually makes sense.

artembilan added a commit to spring-projects/spring-integration that referenced this issue May 9, 2021
@artembilan
Fix WebSocket CORS configs for trailing slashes
560c591 
Related to spring-projects/spring-framework#26892

The WebSocket tests with `allowedOrigins` fail now because CORS processor
in Spring Framework removes a trailing slash from the request where possible one
in the config is left as is.

* Remove the trailing slash from the CORS config to match the current SF behavior
@sdeleuze
Copy link
Contributor

sdeleuze commented May 10, 2021
edited
Loading

Specifying multiple patterns (so doing just dddcc5e as part of this issue) or improving the pattern syntax as well as you proposed @rstoyanchev sounds both ok to me, so up to you if we add this capability or not.

rstoyanchev added a commit that referenced this issue May 10, 2021
@rstoyanchev
CorsConfiguration ignores trailing "/" in pattern
dc4e053 
Recent commit dddcc5e ensured a
trailing "/" in the Origin header has no effect. This commit does the
same for a trailing "/" in configured patterns.

See gh-26892
rstoyanchev added a commit that referenced this issue May 10, 2021
@rstoyanchev
Fix failing tests
aa51ed1 
This commit ensures that if an Origin is returned as it was provided,
possibly with a trailing slash.

See gh-26892
@rstoyanchev rstoyanchev mentioned this issue May 10, 2021
Closed
@rstoyanchev
Copy link
Contributor

I've created #26926 to separate that as enhancement. We're too close to the 5.3.7 release to add that and it would be useful to collect more feedback.

@rstoyanchev rstoyanchev changed the title Support for trailing slash and port number in CorsConfiguration origin patterns Support for trailing slash in CorsConfiguration origin patterns May 10, 2021
@rstoyanchev rstoyanchev changed the title Support for trailing slash in CorsConfiguration origin patterns Ignore trailing slash in CorsConfiguration origin patterns May 10, 2021
@korektur korektur mentioned this issue May 10, 2021
Closed
@sync-by-unito sync-by-unito bot mentioned this issue May 12, 2021
Merged
lxbzmy pushed a commit to lxbzmy/spring-framework that referenced this issue Mar 26, 2022
@rstoyanchev @lxbzmy
Ignore trailing slash in Origin header
f9fd0c6 
See spring-projectsgh-26892
lxbzmy pushed a commit to lxbzmy/spring-framework that referenced this issue Mar 26, 2022
@rstoyanchev @lxbzmy
CorsConfiguration ignores trailing "/" in pattern
afef340 
Recent commit dddcc5e ensured a
trailing "/" in the Origin header has no effect. This commit does the
same for a trailing "/" in configured patterns.

See spring-projectsgh-26892
lxbzmy pushed a commit to lxbzmy/spring-framework that referenced this issue Mar 26, 2022
@rstoyanchev @lxbzmy
Fix failing tests
c2391d5 
This commit ensures that if an Origin is returned as it was provided,
possibly with a trailing slash.

See spring-projectsgh-26892
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
5.3.7
Development

No branches or pull requests
4 participants
@sdeleuze @rstoyanchev @korektur @spring-projects-issues