Skip to content

[BUG] v.1.7.3 sameOrigin check issue for localhost over http #188

New issue
New issue
Open
Open
[BUG] v.1.7.3 sameOrigin check issue for localhost over http#188
Labels
bug
@eugenioenko

Description

@eugenioenko
eugenioenko
opened on Apr 22, 2025

Is there an existing issue for this?

  • I have searched the existing issues

The issue

It seems like opt.TrustedOrigins is being required to set even though the request does come from the same origin

Current Behavior

The function sameOrigin is comparing a.Scheme == b.Scheme and a.Host == b.Host

csrf/helpers.go

Lines 157 to 158 in 9dd6af1

func sameOrigin(a, b *url.URL) bool {
return (a.Scheme == b.Scheme && a.Host == b.Host)

The handler for the CSRF check is using this function to compare r.URL vs r.Header.Get("Origin") here

csrf/csrf.go

Lines 288 to 289 in 9dd6af1

if !sameOrigin(&requestURL, parsedOrigin) && !slices.Contains(cs.opts.TrustedOrigins, parsedOrigin.Host) {
r = envError(r, ErrBadOrigin)

The issue is that requestURL.Schema is set to https even when request origin is http because isPlainText in local environment is false

csrf/csrf.go

Lines 271 to 272 in 9dd6af1

requestURL.Scheme = "https"
if isPlaintext {

The current fix is to add localhost:8080 as opt.TrustedOrigins but in this case the origin is the same, it shouldn't be required.

Expected Behavior

Requests from the same origin (host + scheme) should not require manually adding entries to opt.TrustedOrigins.

Steps To Reproduce

No response

Anything else?

Solutions seems to be to update the logic to correctly detect plaintext (http) requests in local/dev environments or improve how isPlaintext is set/detected by default.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions