4.x Include scheme and port of origin and host in deciding whether to classify a request as CORS or not #8166
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oracle-contributor-agreement
bot
added
the
OCA Verified
ljnelson
reviewed
Jan 5, 2024
ljnelson
reviewed
Jan 5, 2024
ljnelson
previously approved these changes
Jan 5, 2024
…equest as CORS or not
…CORS request adapter and impls; update copyright years
tjquinno
force-pushed
the
4.x-cors-host
branch
from
843276d
to
bf72b31
Compare
ljnelson
approved these changes
Jan 5, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Resolves #8088
Resolves #8093
Proper implementation of the CORS algorithm requires considering the scheme, node, and port of the origin (conveyed by the
Originheader) and the host that was requested by the client (conveyed by theHostheader or theForwardedheader or theX-Forwarded-*family of headers). A normal request in the CORS context is one that is not cross-origin--that is, for which the origin and the host share the same scheme, node, and port.The 4.x logic regressed from 3.x in not considering the scheme and port properly.
This PR does several things:
Adds an
isSecuremethod to an adapter interface for requests.The adapter insulates the CORS logic from differences in and dependence on the SE and MP request implementations. The PR also includes the enhancements to the SE and MP adapters to implement this new method.
Corrects the CORS logic which checks to see if the incoming request is a normal request (that is, non-CORS).
The CORS code first checks for whether the request is normal and, if so, skips the CORS processing. This normal check failed to account properly for the scheme and port of the origin and host and therefore incorrectly identified requests that needed CORS processing as normal (non-CORS) requests.
Adds numerous tests.
The CORS code does considerable logging (when turned on) to help users understand the decisions the code makes. This PR also introduces a new private record which represents the result of the "is the request normal" check, containing not only the true/false result but also the effective origin and host locations (full scheme, node, and port) that the is-normal check computed to decide the true/false result. The logging code now uses these intermediate results rather than having to recompute them for logging.
Documentation
This is a bug fix. No doc impact.