You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The package supports to automatically perform an Origin header check via OriginPatterns. However, these origin patterns are only checked against the Origin header Host component (see
I believe that this is incorrect and the entire Origin header should be checked against a set of allowed once - that is, including the schema and port.
Activity
sc0Vu commentedon Jun 9, 2025
@timofurrer It seems
Host
contains host and port https://pkg.go.dev/net/url#URL, but I think they may miss schema here. Based on this spec https://datatracker.ietf.org/doc/html/rfc6454#section-3.2, the schema is required.