Monday, May 20, 2024
Homepage · ajax
 Popular · Latest · Hot · Upcoming
173
rated 0 times [  175] [ 2]  / answers: 1 / hits: 60416  / 11 Years ago, sat, january 11, 2014, 12:00:00

The way I understand it, if a client-side script running on a page from foo.com wants to request data from bar.com, in the request it must specify the header Origin: http://foo.com, and bar must respond with Access-Control-Allow-Origin: http://foo.com.



What is there to stop malicious code from the site roh.com from simply spoofing the header Origin: http://foo.com to request pages from bar?


More From » ajax
 Answers
15

Browsers are in control of setting the Origin header, and users can't override this value. So you won't see the Origin header spoofed from a browser. A malicious user could craft a curl request that manually sets the Origin header, but this request would come from outside a browser, and may not have browser-specific info (such as cookies).



Remember: CORS is not security. Do not rely on CORS to secure your site. If you are serving protected data, use cookies or OAuth tokens or something other than the Origin header to secure that data. The Access-Control-Allow-Origin header in CORS only dictates which origins should be allowed to make cross-origin requests. Don't rely on it for anything more.


[#73249] Thursday, January 9, 2014, 11 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
cadendericki
Add To Favorites
Follow
Total Points: 482
Total Questions: 109
Total Answers: 103
Location: Ecuador
Member since Thu, Jun 4, 2020
4 Years ago
cadendericki questions
Tue, Mar 22, 22, 00:00, 2 Years ago
Wed, Apr 7, 21, 00:00, 3 Years ago
Wed, Jan 27, 21, 00:00, 3 Years ago
Wed, Jul 8, 20, 00:00, 4 Years ago
Thu, May 14, 20, 00:00, 4 Years ago
View All
;