gorilla
[BUG] Support "null" value for Origin header
Is there an existing issue for this?
- [x] I have searched the existing issues
Current Behavior
We should consider the situation when Origin header is null (https://www.rfc-editor.org/rfc/rfc6454#section-7.3):
Whenever a user agent issues an HTTP request from a "privacy- sensitive" context, the user agent MUST send the value "null" in the Origin header field.
In this code, we should consider it:
// if we have an Origin header, check it against our allowlist
origin := r.Header.Get("Origin")
if origin != "" {
parsedOrigin, err := url.Parse(origin)
if err != nil {
r = envError(r, ErrBadOrigin)
cs.opts.ErrorHandler.ServeHTTP(w, r)
return
}
if !sameOrigin(&requestURL, parsedOrigin) && !slices.Contains(cs.opts.TrustedOrigins, parsedOrigin.Host) {
r = envError(r, ErrBadOrigin)
cs.opts.ErrorHandler.ServeHTTP(w, r)
return
}
}
Maybe just ignore the null value in the if origin sentence:
origin := r.Header.Get("Origin")
if origin != "" && origin != "null" {
...
}
Expected Behavior
If Origin header value is null string, the Origin header should not be checked.
Steps To Reproduce
With my current setup, the OAuth2 Hydra login process causes the POST login to be called with ‘Origin = null’.
Anything else?
I managed to configure the POST login to set up the Origin header (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy#integration_with_html), so this error is not happening anymore, but anyway I think the null string value should be considered.
Reference: https://www.rfc-editor.org/rfc/rfc6454#section-7.3
