v26.3.2
v26.3.2
Enforce a DNS-label boundary on wildcard return URLs and CORS origins
A wildcard in a return URL or CORS origin is now honored only when the * is confined to a subdomain label and the host part
after it is a registrable domain (an eTLD+1, such as https://*.example.com or https://*.example.co.uk). The wildcard then
matches only hosts under that one customer-owned domain.
These forms are no longer honored, because each can match an attacker-registrable host:
- dot-less, e.g.
https://*foo.com(matcheshttps://evilfoo.com); - public-suffix base, e.g.
https://*.com,https://*.co.uk,https://*.vercel.app; - trailing or bare, e.g.
https://www.example.*,https://*.
Only the host is checked: wildcards in the URL path are unaffected. Exact origins, the catch-all *, and Hydra's https://*
("all hosts for a scheme") are unchanged.
What enforces it
- Return URLs: Kratos drops unsafe wildcard
allowed_return_urlsentries when it loads its config, and they never match. - CORS origins: matching across Kratos, Hydra, Keto, Oathkeeper, and Talos enforces the same boundary at request time.
Breaking changes
Replace any unsafe wildcard with the labelled https://*.example.com form, or list exact origins. Update
serve.*.cors.allowed_origins and Kratos allowed_return_urls before upgrading; otherwise cross-origin requests and post-flow
redirects from those hosts will be blocked.