reject wildcard origin with credentials in is_origin_allowed#2644
Merged
stephenberry merged 2 commits intoJun 18, 2026
Conversation
The pre-existing cors_wildcard_with_credentials_echoes_origin test asserted the old behavior where a wildcard origin list with credentials echoed the request origin alongside Access-Control-Allow-Credentials. The security fix in is_origin_allowed now rejects an unlisted origin in that configuration, so the test is updated to verify the preflight is denied (403) with no Allow-Origin or Allow-Credentials headers, and renamed accordingly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
With
allowed_origins {"*"}andallow_credentials true, any request Origin is echoed back with credentials:is_origin_allowedtreats"*"(or an empty origin list) as allow-all without looking atallow_credentials, andcreate_cors_middlewarereflects the request origin once credentials are on. The combination lets any site read authenticated cross-origin responses. Thecors_configdocs already say"*"is invalid with credentials, so this keeps the wildcard/empty-list allow-all path but gates it on credentials being off; with credentials on it falls through to the exactallowed_originsmatch (the validator path is unchanged).Before:
"*"+ credentials reflects any origin alongsideAccess-Control-Allow-Credentials: true.After:
"*"+ credentials only allows origins listed explicitly (or accepted by the validator);"*"without credentials still allows all and sendsAccess-Control-Allow-Origin: *.Test in
tests/networking_tests/cors_testdrives the middleware headers andis_origin_allowedacross these cases.