HOTFIX: Reflect origin header for CORS auth #126
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I broke remote authentication in e70230a. An upgrade to rack-cors changed the behavior of `origins '*'` such that it now does not reflect the request's origin and instead actually sends '*' for the allowed origins header. That means authentication on our requests fails :( See this change in rack-cors: cyu/rack-cors#142 We needed this behavior initially because it seemed like `Authorization` headers in our requests were getting stripped, but it seems like this may no longer be true. That needs more testing, though. For now, force rack-cors to return to its earlier behavior. Please enter the commit message for your changes. Lines starting
|
Side note for the curious: we largely work around the associated vulnerability here by disallowing cookie data on all remote requests. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Looks like I broke remote authentication in e70230a. An upgrade to rack-cors changed the behavior of
origins '*'such that it now does not reflect the request's origin and instead actually sends '*' for the allowed origins header. That means authentication on our requests fails :(See this change in rack-cors: cyu/rack-cors#142
We needed this behavior initially because it seemed like
Authorizationheaders in our requests were getting stripped, but it seems like this may no longer be true (or, more likely, I mis-diagnosed the issue originally). That needs more testing, though. For now, force rack-cors to return to its earlier behavior.