search

vuestorefront / vue-storefront

Alokai is a Frontend as a Service solution that simplifies composable commerce. It connects all the technologies needed to build and deploy fast & scalable ecommerce frontends. It guides merchants to deliver exceptional customer experiences quickly and easily.
https://www.alokai.com
MIT License
10.58k stars 2.08k forks source link

[Bug]: application fails to properly validate the Origin headers -> Access-Control-Allow-Origin: * #6682

Open WojtekTheWebDev opened 2 years ago

WojtekTheWebDev commented 2 years ago

Describe the Bug

It is observed that the application fails to properly validate the Origin headers. Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites.

Current behavior

VSF middleware enables All CORS requests: https://github.com/vuestorefront/vue-storefront/blob/main/packages/core/middleware/src/createServer.ts#L12

Expected behavior

There should be an option to configure the CORS by params like:

const corsOptions = {
  origin: 'http://example.com'
}

Steps to reproduce

  1. Navigate to https://demo-bigcommerce-canary.europe-west1.gcp.storefrontcloud.io/ (example on BigCommerce integration but it's related to the VSF middleware)
  2. Login with valid credentials and capture any requests which has sensitive data
  3. At Origin in request headers change like below Screenshot 2022-03-23 at 09 37 17

What version of Vue Storefront are you using?

2.5.6

What version of Node.js are you using?

16.14

What browser (and version) are you using?

Chrome

What operating system (and version) are you using?

macOS

Relevant log output

No response

Able to fix / change the documentation?

Code of Conduct

bloodf commented 2 years ago

@WojtekTheWebDev I think changing the defaults on the HELMET module can add this security layer. https://docs.vuestorefront.io/v2/security/headers-security.html

skirianov commented 1 year ago

@WojtekTheWebDev is this closed? If yes, plese close the issue