Cors regression test

pbs_light.go

@@ -736,28 +736,7 @@ func serve(revision string, cfg *config.Configuration) error {
 
 	pbc.InitPrebidCache(cfg.CacheURL.GetBaseURL())
 
-	// Fixes #648
-	//
-	// These CORS options pose a security risk... but it's a calculated one.
-	// People _must_ call us with "withCredentials" set to "true" because that's how we use the cookie sync info.
-	// We also must allow all origins because every site on the internet _could_ call us.
-	//
-	// This is an inherent security risk. However, PBS doesn't use cookies for authorization--just identification.
-	// We only store the User's ID for each Bidder, and each Bidder has already exposed a public cookie sync endpoint
-	// which returns that data anyway.
-	//
-	// For more info, see:
-	//
-	// - https://github.com/rs/cors/issues/55
-	// - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
-	// - https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
-	c := cors.New(cors.Options{
-		AllowCredentials: true,
-		AllowOriginFunc: func(origin string) bool {
-			return true
-		},
-		AllowedHeaders: []string{"Origin", "X-Requested-With", "Content-Type", "Accept"}})
-	corsRouter := c.Handler(router)
+	corsRouter := supportCORS(router)
 
 	// Add no cache headers
 	noCacheHandler := NoCache{corsRouter}
@@ -779,3 +758,28 @@ func serve(revision string, cfg *config.Configuration) error {
 	server.Listen(cfg, noCacheHandler, adminRouter, metricsEngine)
 	return nil
 }
+
+// Fixes #648
+//
+// These CORS options pose a security risk... but it's a calculated one.
+// People _must_ call us with "withCredentials" set to "true" because that's how we use the cookie sync info.
+// We also must allow all origins because every site on the internet _could_ call us.
+//
+// This is an inherent security risk. However, PBS doesn't use cookies for authorization--just identification.
+// We only store the User's ID for each Bidder, and each Bidder has already exposed a public cookie sync endpoint
+// which returns that data anyway.
+//
+// For more info, see:
+//
+// - https://github.com/rs/cors/issues/55
+// - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
+// - https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
+func supportCORS(handler http.Handler) http.Handler {
+	c := cors.New(cors.Options{
+		AllowCredentials: true,
+		AllowOriginFunc: func(origin string) bool {
+			return true
+		},
+		AllowedHeaders: []string{"Origin", "X-Requested-With", "Content-Type", "Accept"}})
+	return c.Handler(handler)
+}

pbs_light_test.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/mxmCherry/openrtb"
 	"github.com/spf13/viper"
+	"github.com/stretchr/testify/assert"
 
 	"github.com/prebid/prebid-server/cache/dummycache"
 	"github.com/prebid/prebid-server/config"
@@ -688,6 +689,24 @@ func TestPanicRecovery(t *testing.T) {
 	recovered(nil, pbsmetrics.AdapterLabels{})
 }
 
+// Prevents #648
+func TestCORSSupport(t *testing.T) {
+	const origin = "https://publisher-domain.com"
+	handler := func(w http.ResponseWriter, r *http.Request) {}
+	cors := supportCORS(http.HandlerFunc(handler))
+	rr := httptest.NewRecorder()
+	req, err := http.NewRequest("OPTIONS", "http://some-domain.com/openrtb2/auction", nil)
+	req.Header.Set("Access-Control-Request-Method", "POST")
+	req.Header.Set("Access-Control-Request-Headers", "origin")
+	req.Header.Set("Origin", origin)
+
+	if !assert.NoError(t, err) {
+		return
+	}
+	cors.ServeHTTP(rr, req)
+	assert.Equal(t, origin, rr.Header().Get("Access-Control-Allow-Origin"))
+}
+
 func compareStrings(t *testing.T, message string, expect string, actual string) {
 	if expect != actual {
 		t.Errorf(message, expect, actual)