W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

RE: CORS and HTTP headers spoofing

From: Margarita Podskrobko <mpodskrobko@hotmail.com>
Date: Fri, 3 Jun 2011 00:41:55 +0200
Message-ID: <BAY159-w4915264A7F21EFA2446166BA7C0@phx.gbl>
To: <jonas@sicking.cc>
CC: <public-webapps@w3.org>


> From: jonas@sicking.cc
> Date: Thu, 2 Jun 2011 10:29:04 -0700
> Subject: Re: CORS and HTTP headers spoofing
> To: mpodskrobko@hotmail.com
> CC: public-webapps@w3.org
> 
> 2011/5/31 Margarita Podskrobko <mpodskrobko@hotmail.com>:
> > Hello,
> > I was trying to find any information concerning CORS and HTTP headers
> > spoofing. Couldn't find any relevant information though. So if I am able to
> > set Origin header to some custom value, it means that there is no more
> > secure communication between domains as I can pretend to be anyone?
> 
> How would you set the "Origin" header?
> 

I have figured out at least one unexpected and surprisingly easy way to do it in Firefox. There is a firefox  addon available , which lets set Origin header to any value. Addon is available from the following link: https://addons.mozilla.org/en-US/firefox/addon/modify-headers/  I have installed it and tried it with one simple web application. Well, what can I say... It works, and with this addon I can send a cross origin XHR with any value of Origin header. 
I have read couple of discussions in this mail list concerning security issues of CORS. AFAIU, the main point of CORS is to delegate security enforcement point from client browser(requestor of resource) to server (possessor of resource). The server decides whether to provide requested resource or not, and decision is based on the value of Origin header. And there is no way to check whether Origin header is fake or not. So my understanding is that only servers which allow requests from all origins or servers which completely forbid cross origin requests are in safe situation. All other ones are subjects to attacks, coming from same origin policy violation.Please, correct me if my understanding is inaccurate.
Best regardsMargarita Podskrobko

 		 	   		  
Received on Thursday, 2 June 2011 22:42:23 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:45 GMT