Throw if CORS policy is configured to allow credentials and any origin (

#7751)

* Throw if CORS policy is configured to allow credentials and any origin

Fixes #3106

src/Middleware/CORS/samples/SampleDestination/Startup.cs

@@ -50,8 +50,7 @@ public void ConfigureServices(IServiceCollection services)
  options.AddPolicy("AllowAll", policy => policy
  .AllowAnyOrigin()
  .AllowAnyMethod()
- .AllowAnyHeader()
- .AllowCredentials());
+ .AllowAnyHeader());
  });
  services.AddRouting();
  }

src/Middleware/CORS/samples/SampleDestination/StartupWithoutEndpointRouting.cs

@@ -73,8 +73,7 @@ public void Configure(IApplicationBuilder app)
  innerBuilder.UseCors(policy => policy
  .AllowAnyOrigin()
  .AllowAnyMethod()
- .AllowAnyHeader()
- .AllowCredentials());
+ .AllowAnyHeader());
 
  innerBuilder.UseMiddleware<SampleMiddleware>();
  });

src/Middleware/CORS/src/Infrastructure/CorsPolicyBuilder.cs

@@ -224,6 +224,11 @@ public CorsPolicyBuilder SetIsOriginAllowedToAllowWildcardSubdomains()
  /// <returns>The constructed <see cref="CorsPolicy"/>.</returns>
  public CorsPolicy Build()
  {
+ if (_policy.AllowAnyOrigin && _policy.SupportsCredentials)
+ {
+ throw new InvalidOperationException(Resources.InsecureConfiguration);
+ }
+
  return _policy;
  }
 

src/Middleware/CORS/src/Infrastructure/CorsService.cs

@@ -8,7 +8,6 @@
 using Microsoft.AspNetCore.Cors.Internal;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
 
@@ -77,7 +76,7 @@ public CorsResult EvaluatePolicy(HttpContext context, CorsPolicy policy)
 
  if (policy.AllowAnyOrigin && policy.SupportsCredentials)
  {
- _logger.InsecureConfiguration();
+ throw new ArgumentException(Resources.InsecureConfiguration, nameof(policy));
  }
 
  var origin = context.Request.Headers[CorsConstants.Origin];

src/Middleware/CORS/src/Internal/CORSLoggerExtensions.cs

@@ -18,7 +18,6 @@ internal static class CORSLoggerExtensions
  private static readonly Action<ILogger, string, Exception> _requestHeaderNotAllowed;
  private static readonly Action<ILogger, Exception> _failedToSetCorsHeaders;
  private static readonly Action<ILogger, Exception> _noCorsPolicyFound;
- private static readonly Action<ILogger, Exception> _insecureConfiguration;
  private static readonly Action<ILogger, Exception> _isNotPreflightRequest;
 
  static CORSLoggerExtensions()
@@ -73,11 +72,6 @@ static CORSLoggerExtensions()
  new EventId(10, "NoCorsPolicyFound"),
  "No CORS policy found for the specified request.");
 
- _insecureConfiguration = LoggerMessage.Define(
- LogLevel.Warning,
- new EventId(11, "InsecureConfiguration"),
- "The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the policy by listing individual origins if credentials needs to be supported.");
-
  _isNotPreflightRequest = LoggerMessage.Define(
  LogLevel.Debug,
  new EventId(12, "IsNotPreflightRequest"),
@@ -134,11 +128,6 @@ public static void NoCorsPolicyFound(this ILogger logger)
  _noCorsPolicyFound(logger, null);
  }
 
- public static void InsecureConfiguration(this ILogger logger)
- {
- _insecureConfiguration(logger, null);
- }
-
  public static void IsNotPreflightRequest(this ILogger logger)
  {
  _isNotPreflightRequest(logger, null);

src/Middleware/CORS/src/Resources.resx

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <root>
-  <!-- 
+ <!-- 
  Microsoft ResX Schema 
  
  Version 2.0
@@ -60,63 +60,66 @@
  : and then encoded with base64 encoding.
  -->
  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
-  <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
-  <xsd:element name="root" msdata:IsDataSet="true">
-  <xsd:complexType>
-  <xsd:choice maxOccurs="unbounded">
-  <xsd:element name="metadata">
-  <xsd:complexType>
-  <xsd:sequence>
-  <xsd:element name="value" type="xsd:string" minOccurs="0" />
-  </xsd:sequence>
-  <xsd:attribute name="name" use="required" type="xsd:string" />
-  <xsd:attribute name="type" type="xsd:string" />
-  <xsd:attribute name="mimetype" type="xsd:string" />
-  <xsd:attribute ref="xml:space" />
-  </xsd:complexType>
-  </xsd:element>
-  <xsd:element name="assembly">
-  <xsd:complexType>
-  <xsd:attribute name="alias" type="xsd:string" />
-  <xsd:attribute name="name" type="xsd:string" />
-  </xsd:complexType>
-  </xsd:element>
-  <xsd:element name="data">
-  <xsd:complexType>
-  <xsd:sequence>
-  <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
-  <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
-  </xsd:sequence>
-  <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
-  <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
-  <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
-  <xsd:attribute ref="xml:space" />
-  </xsd:complexType>
-  </xsd:element>
-  <xsd:element name="resheader">
-  <xsd:complexType>
-  <xsd:sequence>
-  <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
-  </xsd:sequence>
-  <xsd:attribute name="name" type="xsd:string" use="required" />
-  </xsd:complexType>
-  </xsd:element>
-  </xsd:choice>
-  </xsd:complexType>
-  </xsd:element>
+ <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+ <xsd:element name="root" msdata:IsDataSet="true">
+ <xsd:complexType>
+ <xsd:choice maxOccurs="unbounded">
+ <xsd:element name="metadata">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="value" type="xsd:string" minOccurs="0" />
+ </xsd:sequence>
+ <xsd:attribute name="name" use="required" type="xsd:string" />
+ <xsd:attribute name="type" type="xsd:string" />
+ <xsd:attribute name="mimetype" type="xsd:string" />
+ <xsd:attribute ref="xml:space" />
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="assembly">
+ <xsd:complexType>
+ <xsd:attribute name="alias" type="xsd:string" />
+ <xsd:attribute name="name" type="xsd:string" />
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="data">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+ <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+ </xsd:sequence>
+ <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+ <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+ <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+ <xsd:attribute ref="xml:space" />
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="resheader">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+ </xsd:sequence>
+ <xsd:attribute name="name" type="xsd:string" use="required" />
+ </xsd:complexType>
+ </xsd:element>
+ </xsd:choice>
+ </xsd:complexType>
+ </xsd:element>
  </xsd:schema>
  <resheader name="resmimetype">
-  <value>text/microsoft-resx</value>
+ <value>text/microsoft-resx</value>
  </resheader>
  <resheader name="version">
-  <value>2.0</value>
+ <value>2.0</value>
  </resheader>
  <resheader name="reader">
-  <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+ <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
  </resheader>
  <resheader name="writer">
-  <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+ <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
  </resheader>
+ <data name="InsecureConfiguration" xml:space="preserve">
+ <value>The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the CORS policy by listing individual origins if credentials needs to be supported.</value>
+ </data>
  <data name="PreflightMaxAgeOutOfRange" xml:space="preserve">
  <value>PreflightMaxAge must be greater than or equal to 0.</value>
  </data>

src/Middleware/CORS/test/UnitTests/CorsPolicyBuilderTests.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -285,7 +285,6 @@ public void AllowCredential_SetsSupportsCredentials_ToTrue()
  Assert.True(corsPolicy.SupportsCredentials);
  }
 
-
  [Fact]
  public void DisallowCredential_SetsSupportsCredentials_ToFalse()
  {
@@ -300,6 +299,21 @@ public void DisallowCredential_SetsSupportsCredentials_ToFalse()
  Assert.False(corsPolicy.SupportsCredentials);
  }
 
+ [Fact]
+ public void Build_ThrowsIfConfiguredToAllowAnyOriginWithCredentials()
+ {
+ // Arrange
+ var builder = new CorsPolicyBuilder()
+ .AllowAnyOrigin()
+ .AllowCredentials();
+
+ // Act
+ var ex = Assert.Throws<InvalidOperationException>(() => builder.Build());
+
+ // Assert
+ Assert.Equal(Resources.InsecureConfiguration, ex.Message);
+ }
+
  [Theory]
  [InlineData("Some-String", "some-string")]
  [InlineData("x:\\Test", "x:\\test")]