Open jmvermeulen opened 9 years ago
StefanOssendorf
commented
9 years ago Thank you!
I worry that my inteded functionality doesn't work :( After some research I can only get the remote IP address and not the remote URL.
Either I have to map between an IP address and an origin or I can introduce an custom header to get the remote URL. Mhm... Crap!
@damianh
Any suggestions to this?
jmvermeulen
commented
9 years ago Can you read the referral url? It isn't rock solid, but could be an option.
At this stage the AntiClickjacking feature is only able to disallow, not white-listing. A removal of the dynamic implementation makes white-listing for one domain possible.
StefanOssendorf
commented
9 years ago I thought I can extend the spec, which only allows one domain. Sad :/
I'm not sure if the OWIN spec contains an referrer url.
damianh
commented
9 years ago Are we talking about HTTP Refer header? owin spec doesnt (and never will) have anything to do with specific headers, just a header dictionary On 11 Dec 2014 19:31, "Stefan Ossendorf" notifications@github.com wrote:
I thought I can extend the spec, which only allows one domain. Sad :/
I'm not sure if the OWIN spec contains an referrer url.
— Reply to this email directly or view it on GitHub https://github.com/StefanOssendorf/SecurityHeadersMiddleware/issues/4#issuecomment-66665144 .
StefanOssendorf
commented
9 years ago Yeah I was really wrong. Thought there is something equal to remoteIP.
damianh
commented
9 years ago There is a server.RemoteIpAddress http://owin.org/spec/spec/CommonKeys.html ; afaik all hosts support this, except perhaps TestServer ( it is easy to fake) On 11 Dec 2014 21:17, "Stefan Ossendorf" notifications@github.com wrote:
Yeah I was really wrong. Thought there is something equal to remoteIP.
— Reply to this email directly or view it on GitHub https://github.com/StefanOssendorf/SecurityHeadersMiddleware/issues/4#issuecomment-66681390 .
StefanOssendorf
commented
9 years ago Yeah right. I hoped there is a similiar key with RemoteUrlAddress or something like that. Thanks for your answer :-)
damianh
commented
9 years ago What is a 'RemoteUrlAddress'? clients are not normally addressable / connectable. If you mean 'remote host' you'll have to reverse dns lookup the remote ip address. This has a cost and not all (most) IPs have will have a host name. On 11 Dec 2014 21:22, "Stefan Ossendorf" notifications@github.com wrote:
Yeah right. I hoped there is a similiar key ith RemoteUrlAddress or something like that. Thanks for your answer :-)
— Reply to this email directly or view it on GitHub https://github.com/StefanOssendorf/SecurityHeadersMiddleware/issues/4#issuecomment-66682188 .
StefanOssendorf
commented
9 years ago Yes, remote host. Sorry ^^"
damianh
commented
9 years ago Yeah reverse DNS so. You couldn't trust a client to give you the correct value anyway. On 11 Dec 2014 21:36, "Stefan Ossendorf" notifications@github.com wrote:
Yes, remote host. Sorry ^^"
— Reply to this email directly or view it on GitHub https://github.com/StefanOssendorf/SecurityHeadersMiddleware/issues/4#issuecomment-66684238 .
This code check if the requestUri is in the orgins, but the requestUri is'nt the iFrame host. Instead it's the current url, ofcourse this never works to allow a extern orgin.
private static string DetermineValue(Uri[] origins, Uri requestUri) { Uri uri = Array.Find(origins, u => Rfc6454Utility.HasSameOrigin(u, requestUri)); return uri == null ? "DENY" : "ALLOW-FROM {0}".FormatWith(Rfc6454Utility.SerializeOrigin(uri)); }