W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: CORS and HTTP headers spoofing

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 02 Jun 2011 20:52:39 -0400
Message-ID: <4DE83057.4010807@mit.edu>
To: public-webapps@w3.org
On 6/2/11 6:41 PM, Margarita Podskrobko wrote:
> I have read couple of discussions in this mail list concerning security
> issues of CORS. AFAIU, the main point of CORS is to delegate security
> enforcement point from client browser(requestor of resource) to server
> (possessor of resource).

It's the other way around.  It's to delegate the security enforcement to 
the _browser_.  The server responds with the resource and 
Access-Control-Allow-Origin and the browser uses that information to 
decide whether to give the data to the origin that asked for it.

The Origin header the browser sends is effectively advisory; clearly 
anyone can always send an HTTP request to a server with a given Origin 
header (using telnet to port 80, say!).  So the server should not be 
making any assumptions about what the Origin header really means 
security-wise.

> So my understanding is that only servers which allow requests from all origins
> or servers which completely forbid cross origin requests are in safe
> situation.

The client can always send an Origin header claiming the request is 
same-origin.....

-Boris
Received on Friday, 3 June 2011 00:53:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:45 GMT