2020-06-30 12:50:28 +02:00
|
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
2022-04-05 14:38:54 +02:00
|
|
|
|
ASP.NET Core MVC:
|
2021-01-27 12:06:36 +01:00
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
|
[HttpGet]
|
|
|
|
|
|
public string Get()
|
|
|
|
|
|
{
|
|
|
|
|
|
Response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive
|
|
|
|
|
|
Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
|
|
|
|
|
|
}
|
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
|
public void ConfigureServices(IServiceCollection services)
|
|
|
|
|
|
{
|
|
|
|
|
|
services.AddCors(options =>
|
|
|
|
|
|
{
|
|
|
|
|
|
options.AddDefaultPolicy(builder =>
|
|
|
|
|
|
{
|
|
|
|
|
|
builder.WithOrigins("*"); // Sensitive
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
options.AddPolicy(name: "EnableAllPolicy", builder =>
|
|
|
|
|
|
{
|
|
|
|
|
|
builder.WithOrigins("*"); // Sensitive
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
options.AddPolicy(name: "OtherPolicy", builder =>
|
|
|
|
|
|
{
|
|
|
|
|
|
builder.AllowAnyOrigin(); // Sensitive
|
|
|
|
|
|
});
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
services.AddControllers();
|
|
|
|
|
|
}
|
|
|
|
|
|
----
|
|
|
|
|
|
|
2022-04-05 14:38:54 +02:00
|
|
|
|
ASP.NET MVC:
|
2021-01-27 12:06:36 +01:00
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
|
public class HomeController : ApiController
|
|
|
|
|
|
{
|
|
|
|
|
|
public HttpResponseMessage Get()
|
|
|
|
|
|
{
|
|
|
|
|
|
var response = HttpContext.Current.Response;
|
|
|
|
|
|
|
|
|
|
|
|
response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive
|
|
|
|
|
|
response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
|
|
|
|
|
|
response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
----
|
|
|
|
|
|
|
2020-06-30 12:50:28 +02:00
|
|
|
|
----
|
2021-01-27 12:06:36 +01:00
|
|
|
|
[EnableCors(origins: "*", headers: "*", methods: "GET")] // Sensitive
|
|
|
|
|
|
public HttpResponseMessage Get() => new HttpResponseMessage()
|
|
|
|
|
|
{
|
|
|
|
|
|
Content = new StringContent("content")
|
|
|
|
|
|
};
|
2020-06-30 12:50:28 +02:00
|
|
|
|
----
|
|
|
|
|
|
|
2022-04-05 14:38:54 +02:00
|
|
|
|
User-controlled origin:
|
|
|
|
|
|
|
|
|
|
|
|
[source,csharp]
|
|
|
|
|
|
----
|
|
|
|
|
|
String origin = Request.Headers["Origin"];
|
|
|
|
|
|
Response.Headers.Add("Access-Control-Allow-Origin", origin); // Sensitive
|
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
|
|
|
2020-06-30 12:50:28 +02:00
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
2022-04-05 14:38:54 +02:00
|
|
|
|
ASP.NET Core MVC:
|
2021-01-27 12:06:36 +01:00
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
|
[source,csharp]
|
2021-01-27 12:06:36 +01:00
|
|
|
|
----
|
|
|
|
|
|
[HttpGet]
|
|
|
|
|
|
public string Get()
|
|
|
|
|
|
{
|
|
|
|
|
|
Response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com"); // Safe
|
|
|
|
|
|
Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com"); // Safe
|
|
|
|
|
|
}
|
2021-01-29 15:53:23 +01:00
|
|
|
|
----
|
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
|
[source,csharp]
|
2021-01-27 12:06:36 +01:00
|
|
|
|
----
|
|
|
|
|
|
public void ConfigureServices(IServiceCollection services)
|
|
|
|
|
|
{
|
|
|
|
|
|
services.AddCors(options =>
|
|
|
|
|
|
{
|
|
|
|
|
|
options.AddDefaultPolicy(builder =>
|
|
|
|
|
|
{
|
|
|
|
|
|
builder.WithOrigins("https://trustedwebsite.com", "https://anothertrustedwebsite.com"); // Safe
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
options.AddPolicy(name: "EnableAllPolicy", builder =>
|
|
|
|
|
|
{
|
|
|
|
|
|
builder.WithOrigins("https://trustedwebsite.com"); // Safe
|
|
|
|
|
|
});
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
services.AddControllers();
|
|
|
|
|
|
}
|
|
|
|
|
|
----
|
2021-01-29 15:53:23 +01:00
|
|
|
|
|
2022-04-05 14:38:54 +02:00
|
|
|
|
ASP.Net MVC:
|
2021-02-02 16:54:43 +01:00
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
|
[source,csharp]
|
2021-01-27 12:06:36 +01:00
|
|
|
|
----
|
|
|
|
|
|
public class HomeController : ApiController
|
|
|
|
|
|
{
|
|
|
|
|
|
public HttpResponseMessage Get()
|
|
|
|
|
|
{
|
|
|
|
|
|
var response = HttpContext.Current.Response;
|
|
|
|
|
|
|
|
|
|
|
|
response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com");
|
|
|
|
|
|
response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");
|
|
|
|
|
|
response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
----
|
2021-01-29 15:53:23 +01:00
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
|
[source,csharp]
|
2021-01-27 12:06:36 +01:00
|
|
|
|
----
|
2021-01-29 15:53:23 +01:00
|
|
|
|
[EnableCors(origins: "https://trustedwebsite.com", headers: "*", methods: "GET")]
|
2021-01-27 12:06:36 +01:00
|
|
|
|
public HttpResponseMessage Get() => new HttpResponseMessage()
|
|
|
|
|
|
{
|
|
|
|
|
|
Content = new StringContent("content")
|
|
|
|
|
|
};
|
2020-06-30 12:50:28 +02:00
|
|
|
|
----
|
|
|
|
|
|
|
2022-04-05 14:38:54 +02:00
|
|
|
|
|
|
|
|
|
|
User-controlled origin validated with an allow-list:
|
|
|
|
|
|
|
|
|
|
|
|
[source,csharp]
|
|
|
|
|
|
----
|
|
|
|
|
|
String origin = Request.Headers["Origin"];
|
|
|
|
|
|
|
|
|
|
|
|
if (trustedOrigins.Contains(origin))
|
|
|
|
|
|
{
|
|
|
|
|
|
Response.Headers.Add("Access-Control-Allow-Origin", origin);
|
|
|
|
|
|
}
|
|
|
|
|
|
----
|
|
|
|
|
|
|
2020-06-30 12:50:28 +02:00
|
|
|
|
include::../see.adoc[]
|
2021-06-02 20:44:38 +02:00
|
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-09-20 15:38:42 +02:00
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
|
|
include::../message.adoc[]
|
|
|
|
|
|
|
|
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
|
|
|
2021-06-08 15:52:13 +02:00
|
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
|
== Comments And Links
|
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
|
=== on 25 Jan 2021, 17:38:16 Costin Zaharia wrote:
|
|
|
|
|
|
How CORS works: \https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0#how-cors
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For Asp.Net Web Api: https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api#enable-cors
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Asp.Net Core: https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
|
endif::env-github,rspecator-view[]
|
