From 01d8e41bc54f313241b60bbf19529b1cc980d080 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Wed, 19 Jun 2024 13:35:20 +0100 Subject: [PATCH] chore: Update CORS_ALLOW_ORIGIN default value to "self" in cors.lua and plugin.json + Edit default values for cross-origin policies to the ones recommended by OWASP --- src/common/core/cors/cors.lua | 35 +++++++++++++++++++------------- src/common/core/cors/plugin.json | 10 ++++----- 2 files changed, 26 insertions(+), 19 deletions(-) diff --git a/src/common/core/cors/cors.lua b/src/common/core/cors/cors.lua index 73e5da77f..550019d2c 100644 --- a/src/common/core/cors/cors.lua +++ b/src/common/core/cors/cors.lua @@ -6,7 +6,6 @@ local cors = class("cors", plugin) local ngx = ngx local HTTP_NO_CONTENT = ngx.HTTP_NO_CONTENT -local WARN = ngx.WARN local regex_match = utils.regex_match local get_deny_status = utils.get_deny_status @@ -49,20 +48,16 @@ function cors:header() else ngx_header.Vary = "Origin" end - -- Check if Origin is allowed - if - self.ctx.bw.http_origin - and self.variables["CORS_DENY_REQUEST"] == "yes" - and self.variables["CORS_ALLOW_ORIGIN"] ~= "*" - and not regex_match(self.ctx.bw.http_origin, self.variables["CORS_ALLOW_ORIGIN"]) - then - self:set_metric("counters", "failed_cors", 1) - self.logger:log(WARN, "origin " .. self.ctx.bw.http_origin .. " is not allowed") - return self:ret(true, "origin " .. self.ctx.bw.http_origin .. " is not allowed") - end + -- Set headers if self.variables["CORS_ALLOW_ORIGIN"] == "*" then ngx_header["Access-Control-Allow-Origin"] = "*" + elseif self.variables["CORS_ALLOW_ORIGIN"] == "self" then + if self.ctx.bw.https_configured == "yes" then + ngx_header["Access-Control-Allow-Origin"] = "https://" .. self.ctx.bw.server_name + else + ngx_header["Access-Control-Allow-Origin"] = "http://" .. self.ctx.bw.server_name + end else ngx_header["Access-Control-Allow-Origin"] = self.ctx.bw.http_origin end @@ -93,13 +88,25 @@ function cors:access() if self.variables["USE_CORS"] ~= "yes" then return self:ret(true, "service doesn't use CORS") end + + -- Set the allow origin + local allow_origin = self.variables["CORS_ALLOW_ORIGIN"] + if allow_origin == "self" then + if self.ctx.bw.https_configured == "yes" then + allow_origin = "https://" .. self.ctx.bw.server_name + else + allow_origin = "http://" .. self.ctx.bw.server_name + end + end + -- Deny as soon as possible if needed if self.ctx.bw.http_origin and self.variables["CORS_DENY_REQUEST"] == "yes" - and self.variables["CORS_ALLOW_ORIGIN"] ~= "*" - and not regex_match(self.ctx.bw.http_origin, self.variables["CORS_ALLOW_ORIGIN"]) + and allow_origin ~= "*" + and not regex_match(self.ctx.bw.http_origin, allow_origin) then + self:set_metric("counters", "failed_cors", 1) return self:ret( true, "origin " .. self.ctx.bw.http_origin .. " is not allowed, denying access", diff --git a/src/common/core/cors/plugin.json b/src/common/core/cors/plugin.json index c1cfb61bf..4714b982e 100644 --- a/src/common/core/cors/plugin.json +++ b/src/common/core/cors/plugin.json @@ -16,8 +16,8 @@ }, "CORS_ALLOW_ORIGIN": { "context": "multisite", - "default": "*", - "help": "Allowed origins to make CORS requests : PCRE regex or *.", + "default": "self", + "help": "Allowed origins to make CORS requests : PCRE regex or * or self (for the same origin).", "id": "cors-allow-origin", "label": "Allowed origins", "regex": "^.*$", @@ -61,7 +61,7 @@ }, "CROSS_ORIGIN_OPENER_POLICY": { "context": "multisite", - "default": "", + "default": "same-origin", "help": "Value for the Cross-Origin-Opener-Policy header.", "id": "cross-origin-opener-policy", "label": "Cross-Origin-Opener-Policy", @@ -71,7 +71,7 @@ }, "CROSS_ORIGIN_EMBEDDER_POLICY": { "context": "multisite", - "default": "", + "default": "require-corp", "help": "Value for the Cross-Origin-Embedder-Policy header.", "id": "cross-origin-embedder-policy", "label": "Cross-Origin-Embedder-Policy", @@ -81,7 +81,7 @@ }, "CROSS_ORIGIN_RESOURCE_POLICY": { "context": "multisite", - "default": "", + "default": "same-site", "help": "Value for the Cross-Origin-Resource-Policy header.", "id": "cross-origin-resource-policy", "label": "Cross-Origin-Resource-Policy",