-
-
Notifications
You must be signed in to change notification settings - Fork 955
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORSMiddleware does not provide explicit origin although Authorization header is present #1832
Comments
More reference: a rust package that I've found raises an error when This is not an argument to raise an error, it's just saying that we are not complying with W3C. |
Yes, I agree that this option is not compliant with W3C.
If we choose policy 2 or 3 and the configuration allows credentials to all origins, we have to choose and implement one of the following mechanism to ensure that all requests including credentials are allowed. @Kludex pointed out that there are implementations using mechanism A, but no implementation that depends on the request header(e.g. B, C). Since the original code was implementing C partially, I added the Authorization header part to complete the functionality. Since mechanism B and C cannot cover the mTLS credential case described in #1823, mechanism A may be better than the others. |
The question here is... Are there implementations not using mechanism A? If not, can't we just change our logic to be like that? |
We could just raise an exception if The browser will not allow it, and will warn you if you do the wrong thing. No need to make it complicated. Outside of a browser, bad actors can just fake the origin. |
I am checking for credential if credentials is allowed, then explicit origin function is called if header include any of the authorization or cookies if self.allow_all_origins:
if self.allow_credentials and has_authorization or has_cookie:
self.allow_explicit_origin(headers, origin)``` |
Thanks @ShreySinha02 @Kludex would you mind providing an update on this issue and the proposed fix? Is there anyway the community could help moving forward on this? |
Discussed in #1823
Originally posted by gyusang August 26, 2022
When sending a CORS request with credentials, wildcard origin is rejected by the standard.
The CORS middleware handles this case when cookies are included, but is missing the case when
Authorization
header is present.starlette/starlette/middleware/cors.py
Lines 164 to 165 in 31164e3
Since Token authentication is also widely used these days, I believe explicit header should be returned when
Authorization
header is present.Important
The text was updated successfully, but these errors were encountered: