echo.CORS is blocking the request on egress only #2730

khs-kks · 2025-01-06T13:07:41Z

khs-kks
Jan 6, 2025

Even with the default configuration of the echo.CORS middleware, where only the allowed origin has been modified from the default wildcard ("*") to a specific domain, unauthorized cross-origin requests still propagate through the application stack, reaching the data layer. While egress filtering blocks the response, this occurs after data mutations have already been committed, representing an actual security concern.

Please tell if this is by design

Answered by aldas

Jan 7, 2025

Looking at the repo history and reading CORS spec. It seems that this behavior has been there for a long time. I can only say that CORS does not necessarily say that server must reject these requests as CORS is mean to be enforced on Web-browser side by the browsers. but it would make sense to reject these. I'll create PR #2732 for it.

p.s. CORS is only security measure for clients (like browsers) that adhere to CORS rules. for anything else it is just a suggestion for behavior.

View full answer

aldas · 2025-01-06T13:16:12Z

aldas
Jan 6, 2025
Maintainer

Please provide example app + CURL/WGET to test it out. NB: cors in only meant for browser. Any API request can and is allowed to bypassit by not providing relevant headers etc.

you can start off from this snippet:

package main

import (
	"errors"
	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
	"log/slog"
	"net/http"
)

func main() {
	e := echo.New()
	
	e.Use(middleware.Logger())
	e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
		// your settings
	}))

	e.GET("/", func(c echo.Context) error {
		return c.JSON(http.StatusOK, "ok")
	})

	if err := e.Start(":8082"); err != nil && !errors.Is(err, http.ErrServerClosed) {
		slog.Error("server start ended with error", "err", err)
	}
}

2 replies

khs-kks Jan 6, 2025
Author


import (
	"errors"
	"fmt"
	"log/slog"
	"net/http"

	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
)

func main() {
	e := echo.New()

	e.Use(middleware.Logger())
	e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
		AllowOrigins: []string{"http://localhost:43000"},
		AllowMethods: []string{http.MethodGet, http.MethodPost, http.MethodPut, http.MethodDelete, http.MethodOptions},
		AllowHeaders: []string{echo.HeaderOrigin, echo.HeaderContentType},
	}))

	e.GET("/", func(c echo.Context) error {
		fmt.Println("Propagated")
		return c.JSON(http.StatusOK, "ok")
	})

	if err := e.Start(":8082"); err != nil && !errors.Is(err, http.ErrServerClosed) {
		slog.Error("server start ended with error", "err", err)
	}
}

and the curl:

curl -v -X GET -H "Origin: http://localhost:3000" -H "Content-Type: application/json" http://localhost:8082/

aldas Jan 7, 2025
Maintainer

Looking at the repo history and reading CORS spec. It seems that this behavior has been there for a long time. I can only say that CORS does not necessarily say that server must reject these requests as CORS is mean to be enforced on Web-browser side by the browsers. but it would make sense to reject these. I'll create PR #2732 for it.

p.s. CORS is only security measure for clients (like browsers) that adhere to CORS rules. for anything else it is just a suggestion for behavior.

Answer selected by khs-kks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

echo.CORS is blocking the request on egress only #2730

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

echo.CORS is blocking the request on egress only #2730

khs-kks Jan 6, 2025

Replies: 1 comment · 2 replies

aldas Jan 6, 2025 Maintainer

khs-kks Jan 6, 2025 Author

aldas Jan 7, 2025 Maintainer

khs-kks
Jan 6, 2025

Replies: 1 comment 2 replies

aldas
Jan 6, 2025
Maintainer

khs-kks Jan 6, 2025
Author

aldas Jan 7, 2025
Maintainer