github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:17:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

security: suppress Allow-Credentials on wildcard CORS origin (CORS-1) (#3980)

Browse Source 
fix(security): suppress Allow-Credentials on wildcard CORS origin (CORS-1)

Per CORS spec §3.2, Access-Control-Allow-Credentials must not be
"true" when Access-Control-Allow-Origin is the wildcard "*".

ACHeadersMiddleware (pkg/common/http_server.go) and
getUIHeadersHandler (pkg/api/routes.go) now only emit the
credentials header when an explicit, non-empty AllowOrigin is
configured.  Deployments that leave AllowOrigin blank (default
wildcard) no longer produce a contradictory header pair.

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
This commit is contained in:
Ramkumar Chinchani
2026-04-18 11:14:52 -07:00
committed by GitHub
parent eadc9b65ed
commit bfc59ad120
3 changed files with 44 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/common/http_server.go
+5 -2
View File
@@ -38,9 +38,12 @@ func ACHeadersMiddleware(config *config.Config, allowedMethods ...string) mux.Mi
resp.Header().Set("Access-Control-Allow-Methods", allowedMethodsValue)
resp.Header().Set("Access-Control-Allow-Headers", "Authorization,content-type,"+constants.SessionClientHeaderName)
// Get auth config safely
// Access-Control-Allow-Credentials must not be "true" when
// Access-Control-Allow-Origin is the wildcard "*" (CORS spec §3.2).
// Only advertise credentials support when an explicit origin is set.
authConfig := config.CopyAuthConfig()
if authConfig.IsBasicAuthnEnabled() {
allowOrigin := strings.TrimSpace(config.GetAllowOrigin())
if authConfig.IsBasicAuthnEnabled() && allowOrigin != "" && allowOrigin != "*" {
resp.Header().Set("Access-Control-Allow-Credentials", "true")
}