Skip to content

Origin check should not only be a check against the host #529

Open
@timofurrer

Description

@timofurrer

The package supports to automatically perform an Origin header check via OriginPatterns. However, these origin patterns are only checked against the Origin header Host component (see

matched, err := match(hostPattern, u.Host)
).

I believe that this is incorrect and the entire Origin header should be checked against a set of allowed once - that is, including the schema and port.

Activity

sc0Vu

sc0Vu commented on Jun 9, 2025

@sc0Vu

@timofurrer It seems Host contains host and port https://pkg.go.dev/net/url#URL, but I think they may miss schema here. Based on this spec https://datatracker.ietf.org/doc/html/rfc6454#section-3.2, the schema is required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      Origin check should not only be a check against the host · Issue #529 · coder/websocket