W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: CORS and HTTP headers spoofing

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 2 Jun 2011 16:34:46 -0700
Message-ID: <BANLkTin9sSQjxBTwDv_pD+iB=ffziX9etA@mail.gmail.com>
To: Margarita Podskrobko <mpodskrobko@hotmail.com>
Cc: public-webapps@w3.org
2011/6/2 Margarita Podskrobko <mpodskrobko@hotmail.com>:
>
>> From: jonas@sicking.cc
>> Date: Thu, 2 Jun 2011 10:29:04 -0700
>> Subject: Re: CORS and HTTP headers spoofing
>> To: mpodskrobko@hotmail.com
>> CC: public-webapps@w3.org
>>
>> 2011/5/31 Margarita Podskrobko <mpodskrobko@hotmail.com>:
>> > Hello,
>> > I was trying to find any information concerning CORS and HTTP headers
>> > spoofing. Couldn't find any relevant information though. So if I am able
>> > to
>> > set Origin header to some custom value, it means that there is no more
>> > secure communication between domains as I can pretend to be anyone?
>>
>> How would you set the "Origin" header?
>>
>
> I have figured out at least one unexpected and surprisingly easy way to do
> it in Firefox. There is a firefox  addon available , which lets set Origin
> header to any value. Addon is available from the following
> link: https://addons.mozilla.org/en-US/firefox/addon/modify-headers/  I have
> installed it and tried it with one simple web application. Well, what can I
> say... It works, and with this addon I can send a cross origin XHR with any
> value of Origin header.

So your concern is that the user would install an addon and use that
to attack a target site? What type of attack are you concerned that
the user would be able to perform? I.e. what type of data are you
worried that the user could steal? Or what type of harm are you
worried that the user would be able to cause on the website?

CORS was mostly written with the intent of protecting the users data
which is stored in various web servers. Obviously the user attacking
the webserver to steal his or her own data isn't much of a concern.
This is why I'm asking the above question.

/ Jonas
Received on Thursday, 2 June 2011 23:35:44 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:45 GMT