CORS - Access-Control-Allow headers added for spurious domain

Support & Bugs
1

Hi,

(As a new user, the forum won’t allow me to put more than 2 links into a post. Unfortunately, this breaks the commands I use to show/recreate this issue; I’ve removed the protocol-colon-slash-slash, and turned FQDNs into single words)

I’ve come across a circumstance where the tracker PHP responds to a CORS Origin: header (with an unauthorised domain) with unexpected Access-Control-Allow headers in the response. If I have the idea of CORS right, anyway…

The problem occurs with POST, but not GET. And only when the response merits a 204 code rather than a 200.

Pre-requisites in my testing:

  • Matomo installed on analyticsdomain
  • Configured with QueuedTracking
  • CORS domains configured eg gooddomain1 and gooddomain2
  • Do not include baddomain in the list
  • Configure tracking to allow debug on demand

Then simulate tracker requests with the following 6 commands:

  • curl --verbose -X GET -H “Origin: baddomain” “analyticsdomai n/matomo.php?send_image=1&debug=1”
  • curl --verbose -X GET -H “Origin: baddomain” “analyticsdomain /matomo.php?send_image=1&debug=0”
  • curl --verbose -X GET -H “Origin: baddomain” “analyticsdomain /matomo.php?send_image=0&debug=0”
  • curl --verbose -X POST -H “Origin: baddomain” “analyticsdomain /matomo.php” --data “send_image=1&debug=1”
  • curl --verbose -X POST -H “Origin: baddomain” “analyticsdomain /matomo.php” --data “send_image=1&debug=0”
  • curl --verbose -X POST -H “Origin: baddomain” “analyticsdomain /matomo.php” --data “send_image=0&debug=0”

In the last case, the Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers appear in the response, even though this domain is not in the list of configured domains.

In fact, the response will reflect any string from the Origin header, even a single “*” character.

  • curl --verbose -X POST -H “Origin: *” “analyticsdomain /matomo.php” --data “send_image=0&debug=0”

Obviously these are cut down examples, but I see the problem with a full complement of arguments.
Problem also seen when debugging on demand is not turned on.

Our setup:

  • Matomo on own server at version 4.5.0