Skip to content

Include protocol when checking internal domain for cross-origin resource sharing#7786

Merged
mitchellhenke merged 1 commit intomainfrom
mitchellhenke/cors-protocol
Feb 7, 2023
Merged

Include protocol when checking internal domain for cross-origin resource sharing#7786
mitchellhenke merged 1 commit intomainfrom
mitchellhenke/cors-protocol

Conversation

@mitchellhenke
Copy link
Contributor

@mitchellhenke mitchellhenke commented Feb 7, 2023

🛠 Summary of changes

I noticed when working on #7785, that internal requests were not being skipped as intended, and it seems to be due to the request source including protocol AND domain, and us only comparing it against the domain. MDN has a fuller explanation, but the format and a few examples are:

Origin: null
Origin: <scheme>://<hostname>
Origin: <scheme>://<hostname>:<port>

Origin: https://developer.mozilla.org

On secure.login.gov, IdentityConfig.store.domain_name returns secure.login.gov, and I pulled the request headers:

Origin: https://secure.login.gov

which will never match 🙂

This PR adds https:// so that we skip the remaining checks as intended.

Include protocol when checking internal domain for CORS
b0e665d 
changelog: Internal, Cross-Origin Resource Sharing, Include protocol when checking internal domain for CORS
@mitchellhenke mitchellhenke mentioned this pull request Feb 7, 2023
Merged
zachmargolis
zachmargolis approved these changes Feb 7, 2023
View reviewed changes
Copy link
Contributor

@zachmargolis zachmargolis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mitchellhenke mitchellhenke merged commit 8615e93 into main Feb 7, 2023
@mitchellhenke mitchellhenke deleted the mitchellhenke/cors-protocol branch February 7, 2023 17:44
aduth
aduth reviewed Feb 7, 2023
View reviewed changes
@mitchellhenke mitchellhenke mentioned this pull request Feb 8, 2023
Merged
@aduth aduth mentioned this pull request Feb 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@aduth aduth aduth left review comments

@zachmargolis zachmargolis zachmargolis approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mitchellhenke @zachmargolis @aduth