170 lines
3.6 KiB
Plaintext
170 lines
3.6 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
ASP.NET Core MVC:
|
|
|
|
----
|
|
[HttpGet]
|
|
public string Get()
|
|
{
|
|
Response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive
|
|
Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
|
|
}
|
|
----
|
|
|
|
----
|
|
public void ConfigureServices(IServiceCollection services)
|
|
{
|
|
services.AddCors(options =>
|
|
{
|
|
options.AddDefaultPolicy(builder =>
|
|
{
|
|
builder.WithOrigins("*"); // Sensitive
|
|
});
|
|
|
|
options.AddPolicy(name: "EnableAllPolicy", builder =>
|
|
{
|
|
builder.WithOrigins("*"); // Sensitive
|
|
});
|
|
|
|
options.AddPolicy(name: "OtherPolicy", builder =>
|
|
{
|
|
builder.AllowAnyOrigin(); // Sensitive
|
|
});
|
|
});
|
|
|
|
services.AddControllers();
|
|
}
|
|
----
|
|
|
|
ASP.NET MVC:
|
|
|
|
----
|
|
public class HomeController : ApiController
|
|
{
|
|
public HttpResponseMessage Get()
|
|
{
|
|
var response = HttpContext.Current.Response;
|
|
|
|
response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive
|
|
response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
|
|
response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
----
|
|
[EnableCors(origins: "*", headers: "*", methods: "GET")] // Sensitive
|
|
public HttpResponseMessage Get() => new HttpResponseMessage()
|
|
{
|
|
Content = new StringContent("content")
|
|
};
|
|
----
|
|
|
|
User-controlled origin:
|
|
|
|
[source,csharp]
|
|
----
|
|
String origin = Request.Headers["Origin"];
|
|
Response.Headers.Add("Access-Control-Allow-Origin", origin); // Sensitive
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
ASP.NET Core MVC:
|
|
|
|
[source,csharp]
|
|
----
|
|
[HttpGet]
|
|
public string Get()
|
|
{
|
|
Response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com"); // Safe
|
|
Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com"); // Safe
|
|
}
|
|
----
|
|
|
|
[source,csharp]
|
|
----
|
|
public void ConfigureServices(IServiceCollection services)
|
|
{
|
|
services.AddCors(options =>
|
|
{
|
|
options.AddDefaultPolicy(builder =>
|
|
{
|
|
builder.WithOrigins("https://trustedwebsite.com", "https://anothertrustedwebsite.com"); // Safe
|
|
});
|
|
|
|
options.AddPolicy(name: "EnableAllPolicy", builder =>
|
|
{
|
|
builder.WithOrigins("https://trustedwebsite.com"); // Safe
|
|
});
|
|
});
|
|
|
|
services.AddControllers();
|
|
}
|
|
----
|
|
|
|
ASP.Net MVC:
|
|
|
|
[source,csharp]
|
|
----
|
|
public class HomeController : ApiController
|
|
{
|
|
public HttpResponseMessage Get()
|
|
{
|
|
var response = HttpContext.Current.Response;
|
|
|
|
response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com");
|
|
response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");
|
|
response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");
|
|
}
|
|
}
|
|
----
|
|
|
|
[source,csharp]
|
|
----
|
|
[EnableCors(origins: "https://trustedwebsite.com", headers: "*", methods: "GET")]
|
|
public HttpResponseMessage Get() => new HttpResponseMessage()
|
|
{
|
|
Content = new StringContent("content")
|
|
};
|
|
----
|
|
|
|
|
|
User-controlled origin validated with an allow-list:
|
|
|
|
[source,csharp]
|
|
----
|
|
String origin = Request.Headers["Origin"];
|
|
|
|
if (trustedOrigins.Contains(origin))
|
|
{
|
|
Response.Headers.Add("Access-Control-Allow-Origin", origin);
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|