Comments (5)
nitper
commented on June 22, 2024
1
Your second link as well as the spec I posted originally are the best resources I have seen. There are various blog posts out there but they all seem to reference these two links.
There's also this page https://enable-cors.org/server.html which links to this handy server flowchart. Since Pomerium is a proxy, I believe it should verify that an OPTIONS request has all the necessary headers to qualify it as preflight, and then forward that to the server without authentication.
I'll need to double-check this, but it seems the preflight OPTIONS request must include these headers:
For what it's worth, my downstream server is using Echo as the server with the CORS middleware.
My frontend is using axios setting withCredentials: true
// `withCredentials` indicates whether or not cross-site Access-Control requests
// should be made using credentials
withCredentials: false, // defaultPomerium is working just fine with this setup for CORS simple requests
from pomerium.
nitper
commented on June 22, 2024
I did some searching around, and there are a bunch of other proxy projects that have implemented this. Here's one example https://github.com/istio/proxy/issues/651
from pomerium.
desimone
commented on June 22, 2024
Hi @nitper thank you bug report.
I didn't know that about OPTIONS. We should conform to the spec, but I would like to better understand the use-case and investigate a bit regarding any potential security implications of having a bypass.
Could you point me in the direction right direction to read more about OPTIONS?
Ref for later self:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
from pomerium.
nitper
commented on June 22, 2024
@desimone I'd be happy to submit a PR.
I was thinking about adding a field cors_allow_preflight (not married to the name) to Policy with a default of false. This way the user can manually and intentionally enable the unauthenticated passthrough of OPTIONS requests for each route as needed.
What do you think?
from pomerium.
desimone
commented on June 22, 2024
@nitper Thank you, a PR would be greatly appreciated!
I think the field name of cors_allow_preflight makes sense, and agree that defaulting to "off" is a safe choice.
More reading for future travelers:
- https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods
- https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)#Arbitrary_HTTP_Methods
- https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
from pomerium.
Related Issues (20)
- core/authorize: denied response is not an error page anymore HOT 1
- core/config: support direct response HOT 2
- cli reuse port HOT 2
- Path rewriting not working as expected HOT 2
- Add the ability to set the envoy healthy_panic_threshold for an upstream/cluster HOT 3
- Match on header
- docs: Kubernetes supports the headers.{CustomHeaderName} field
- envoy: upgrade to 1.29.2
- core/config: should quit with error on unknown config options HOT 1
- Enhanced Troubleshooting Capabilities for Request and Response Lifecycle
- Integration Test instructions in README are wrong HOT 7
- Add ability to enable TLS Key logging HOT 2
- build-dev-docker.bash script fails on non-Linux when GOBIN is set HOT 1
- Pomerium loops re-reading configuration from CloudRun mounted Secret HOT 2
- Support Regex based host/path rewrites HOT 4
- Support Device authorization flow for programmatic access
- Generate Pomerium-Desktop config by reading pomerium core config HOT 1
- core/kubernetes: user with no groups denied access HOT 1
- Refactor autocert test setup to be clearer
- Two Person Integrity HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pomerium.