- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 2 Jun 2011 16:34:46 -0700
- To: Margarita Podskrobko <mpodskrobko@hotmail.com>
- Cc: public-webapps@w3.org
2011/6/2 Margarita Podskrobko <mpodskrobko@hotmail.com>: > >> From: jonas@sicking.cc >> Date: Thu, 2 Jun 2011 10:29:04 -0700 >> Subject: Re: CORS and HTTP headers spoofing >> To: mpodskrobko@hotmail.com >> CC: public-webapps@w3.org >> >> 2011/5/31 Margarita Podskrobko <mpodskrobko@hotmail.com>: >> > Hello, >> > I was trying to find any information concerning CORS and HTTP headers >> > spoofing. Couldn't find any relevant information though. So if I am able >> > to >> > set Origin header to some custom value, it means that there is no more >> > secure communication between domains as I can pretend to be anyone? >> >> How would you set the "Origin" header? >> > > I have figured out at least one unexpected and surprisingly easy way to do > it in Firefox. There is a firefox addon available , which lets set Origin > header to any value. Addon is available from the following > link: https://addons.mozilla.org/en-US/firefox/addon/modify-headers/ I have > installed it and tried it with one simple web application. Well, what can I > say... It works, and with this addon I can send a cross origin XHR with any > value of Origin header. So your concern is that the user would install an addon and use that to attack a target site? What type of attack are you concerned that the user would be able to perform? I.e. what type of data are you worried that the user could steal? Or what type of harm are you worried that the user would be able to cause on the website? CORS was mostly written with the intent of protecting the users data which is stored in various web servers. Obviously the user attacking the webserver to steal his or her own data isn't much of a concern. This is why I'm asking the above question. / Jonas
Received on Thursday, 2 June 2011 23:35:44 UTC