[Bug]: application fails to properly validate the Origin headers -> Access-Control-Allow-Origin: *

Question

[Bug]: application fails to properly validate the Origin headers -> Access-Control-Allow-Origin: *

Opened this issue 2 years ago · 2 comments

Describe the Bug

It is observed that the application fails to properly validate the Origin headers.
Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites.

Current behavior

VSF middleware enables All CORS requests:
https://github.com/vuestorefront/vue-storefront/blob/main/packages/core/middleware/src/createServer.ts#L12

Expected behavior

There should be an option to configure the CORS by params like:

const corsOptions = {
  origin: 'http://example.com'
}

Steps to reproduce

Navigate to https://demo-bigcommerce-canary.europe-west1.gcp.storefrontcloud.io/ (example on BigCommerce integration but it's related to the VSF middleware)
Login with valid credentials and capture any requests which has sensitive data
At Origin in request headers change like below

What version of Vue Storefront are you using?

2.5.6

What version of Node.js are you using?

16.14

What browser (and version) are you using?

Chrome

What operating system (and version) are you using?

macOS

Relevant log output

No response

Able to fix / change the documentation?

Yes
No

Code of Conduct

I agree to follow this project's Code of Conduct

Answer 1 · 2022-05-03T17:43:32.000Z

@WojtekTheWebDev I think changing the defaults on the HELMET module can add this security layer. https://docs.vuestorefront.io/v2/security/headers-security.html

Answer 2 · 2023-03-24T13:35:15.000Z

@WojtekTheWebDev is this closed? If yes, plese close the issue