Reputation: 841
Why browser set origin to null for sameorigindomain ie ASP.NET MVC web app has origin to null in chrome browser
My ASP.NET MVC web app is accessed by browser like Chrome. On login form submit, it has origin set to null by browser. This is identified as a security vulnerable by the webinspect tool.
Please advise what is the solution to this?
Upvotes: 0
Views: 76
Answers (1)
Reputation: 22447
My ASP.NET MVC web app is accessed by browser like Chrome. On login form submit, it has origin set to null by browser. This is identified as a security vulnerable by the webinspect tool.
According to the scenario and description, the null origin issue typically arises in situations where a web request is being made from a local file, a sandboxed iframe, or from an environment that does not have a defined origin. This can lead to security vulnerabilities, as some security tools might flag it because they can't verify the request's source.
It's hard to offer you any straightforward solution for that without seeing your configuration and why reqeust orgin has been set null.
However, couple of steps can be taken to deal with the situation.
First of all, If you're accessing your web app through a file:// URL instead of http:// or https://, the browser will set the origin to null.
On the other hands, If your app is being loaded within an iframe with the sandbox attribute, the origin might be set to null.
Most importantly, If the request is being made cross-origin and the server is not properly configured to handle CORS requests, the browser might set the origin to null.
Therefore, double chekc the above configuration if those are maintained accordingly. In addition, double check your CORS config as well.
If WebInspect or other security tools are flagging the null origin as a vulnerability, review their configuration and ensure they are appropriately set up to handle your application's context. Sometimes, these tools need specific configurations to correctly assess your application's security posture.
We also could set origin in request or request model using hidden property. Even we can use additional property within our request model.
You could do as following:
public class LoginViewModel
{
[Required]
[Display(Name = "Username")]
public string Username { get; set; }
[Required]
[DataType(DataType.Password)]
[Display(Name = "Password")]
public string Password { get; set; }
public string RequestOrigin { get; set; }
}
View:
Add additional property in view:
<input type="hidden" id="requestOrigin" name="RequestOrigin" />
Use Script:
@section Scripts {
<script>
document.getElementById('requestOrigin').value = window.location.origin;
</script>
}
Controller:
[HttpPost]
public async Task<IActionResult> Create(LoginViewModel loginViewModel)
{
var requestOrigin = HttpContext.Request.Headers["Origin"].ToString();
return View();
}
So now you could get request origin in both ways. If for unknows reason browser Origin get null but you still can get it from request model.
Output:
Upvotes: 0
Related Questions
- ASP.NET MVC web app request does not have origin in request header and identified as Security Vulnerability by WebInpect tool
- Visual Studio debugging/loading very slow
- ASP.NET 5 MVC: unable to connect to web server 'IIS Express'
- Returning a file to View/Download in ASP.NET MVC
- ASP.NET MVC - Set custom IIdentity or IPrincipal
- ASP.NET MVC - Find Absolute Path to the App_Data folder from Controller
- How can I get my webapp's base URL in ASP.NET MVC?
- ASP.NET Identity - HttpContext has no extension method for GetOwinContext
- Set Culture in an ASP.Net MVC app