"null" origin should be allowed

[tomaszkiewicz]

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin the header may be one of:

Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: <origin>
Access-Control-Allow-Origin: null

However, when I try to specify "null" as one of the origins:

r.Use(cors.New(cors.Config{
        AllowOrigins: []string{
...
            "null",
        },

I get:

panic: bad origin: origins must contain '*' or include http://,https://

The use case is PWA sharing files on Android using POST to the app - in that case we get "null" in the Origin header. I saw that it's not recommended, however I think it should be supported as an option.

Best regards

Łukasz Tomaszkiewicz

[jub0bs]

Allowing the null origin is a bad idea, in particular because any malicious client can get hold of it by issuing requests from a sandboxed document (e.g. an iframe with the sandbox attribute).

If you allow the null origin with credentials, you're essentially deactivating all of the SOP's restrictions on network access; you're leaving the door wide open to cross-origin attacks against your users. And if you want to allow the null origin without credentials, you might as well have Access-Control-Allow-Origin: * instead in your responses.

More details at https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties