Open
Description
The package supports to automatically perform an Origin
header check via OriginPatterns
. However, these origin patterns are only checked against the Origin
header Host
component (see
Line 244 in efb626b
I believe that this is incorrect and the entire Origin
header should be checked against a set of allowed once - that is, including the schema and port.
Metadata
Metadata
Assignees
Labels
No labels
Activity
sc0Vu commentedon Jun 9, 2025
@timofurrer It seems
Host
contains host and port https://pkg.go.dev/net/url#URL, but I think they may miss schema here. Based on this spec https://datatracker.ietf.org/doc/html/rfc6454#section-3.2, the schema is required.