Skip to content

Commit 3371c55

Browse files
committed
Enforce Origin checks on authenticated state-changing requests
# We rely on "secure;HttpOnly" cookies to prevent cross-site GET requests, and use # this Origin header checking to protect against cross-site POST and DELETE. Browsers # will prevent XHR JSON requests by using a pre-flight check, but form POSTs definitely # work and can be protected against this way. # Relevant to isaacphysics/isaac-app#892
1 parent c384aad commit 3371c55

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

src/main/java/uk/ac/cam/cl/dtg/segue/api/managers/UserAuthenticationManager.java

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -334,14 +334,14 @@ public RegisteredUser getUserFromSession(final HttpServletRequest request) {
334334
log.warn("Authenticated request had unexpected Referer: '" + referrer + "'. Attempted to access: "
335335
+ request.getPathInfo());
336336
}
337+
// If the client sends an Origin header, we should afford them better security. If they do not send the header,
338+
// we can draw no conclusions and must allow the request through.
337339
String origin = request.getHeader("Origin");
338340
boolean expectOriginHeader = ORIGIN_HEADER_REQUEST_METHODS.contains(request.getMethod());
339-
if (expectOriginHeader && null == origin) {
340-
log.warn("Authenticated request had no 'Origin' information! Attempted to access: "
341-
+ request.getPathInfo());
342-
} else if (expectOriginHeader && !origin.startsWith("https://" + properties.getProperty(HOST_NAME))) {
343-
log.warn("Authenticated request had unexpected Origin: '" + origin + "'. Attempted to access: "
344-
+ request.getPathInfo());
341+
if (expectOriginHeader && null != origin && !origin.equals("https://" + properties.getProperty(HOST_NAME))) {
342+
log.error("Authenticated request had unexpected Origin: '" + origin + "'. Blocked access to: "
343+
+ request.getMethod() + " " + request.getPathInfo());
344+
return null;
345345
}
346346
}
347347

0 commit comments

Comments
 (0)