What’s to stop malicious code from spoofing the “Origin” header to exploit CORS?

by

Browsers are in control of setting the Origin header, and users can’t override this value. So you won’t see the Origin header spoofed from a browser. A malicious user could craft a curl request that manually sets the Origin header, but this request would come from outside a browser, and may not have browser-specific info (such as cookies).

Remember: CORS is not security. Do not rely on CORS to secure your site. If you are serving protected data, use cookies or OAuth tokens or something other than the Origin header to secure that data. The Access-Control-Allow-Origin header in CORS only dictates which origins should be allowed to make cross-origin requests. Don’t rely on it for anything more.

More Related Contents:

  1. Response to preflight request doesn’t pass access control check
  2. “Cross origin requests are only supported for HTTP.” error when loading a local file
  3. jQuery XML error ‘ No ‘Access-Control-Allow-Origin’ header is present on the requested resource.’
  4. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘…’ is therefore not allowed access
  5. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  6. No ‘Access-Control-Allow-Origin’ header is present on the requested resource error
  7. Cross-Origin Read Blocking (CORB)
  8. URL Encode a string in jQuery for an AJAX request
  9. CORS error on same domain?
  10. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  11. Understanding AJAX CORS and security considerations
  12. Why does the preflight OPTIONS request of an authenticated CORS request work in Chrome but not Firefox?
  13. AngularJS POST Fails: Response for preflight has invalid HTTP status code 404
  14. Is CORS a secure way to do cross-domain AJAX requests?
  15. How to make a jsonp POST request that specifies contentType with jQuery?
  16. How to intercept all http requests including form submits
  17. Javascript – No ‘Access-Control-Allow-Origin’ header is present on the requested resource
  18. Cross Domain Resource Sharing GET: ‘refused to get unsafe header “etag”‘ from Response
  19. How to allow CORS in react.js?
  20. CORS cookie credentials from mobile WebView loaded locally with file://
  21. HTTP request from Angular sent as OPTIONS instead of POST
  22. Solve Cross Origin Resource Sharing with Flask
  23. Add CORS header to an http request using Ajax
  24. How to Detect Cross Origin (CORS) Error vs. Other Types of Errors for XMLHttpRequest() in Javascript
  25. Empty body in fetch POST request
  26. Microsoft Edge blocked cross-domain requests sent to IPs in same private network CIDR
  27. how to schedule ajax calls every N seconds?
  28. XMLHttpRequest: Network Error 0x80070005, Access is denied on Microsoft Edge (but not IE)
  29. CORS error with jquery
  30. Accessing partial response using AJAX or WebSockets?

Leave a Comment