RE: CORS and HTTP headers spoofing

> From:
> Date: Thu, 2 Jun 2011 10:29:04 -0700
> Subject: Re: CORS and HTTP headers spoofing
> To:
> CC:
> 2011/5/31 Margarita Podskrobko <>:
> > Hello,
> > I was trying to find any information concerning CORS and HTTP headers
> > spoofing. Couldn't find any relevant information though. So if I am able to
> > set Origin header to some custom value, it means that there is no more
> > secure communication between domains as I can pretend to be anyone?
> How would you set the "Origin" header?

I have figured out at least one unexpected and surprisingly easy way to do it in Firefox. There is a firefox  addon available , which lets set Origin header to any value. Addon is available from the following link:  I have installed it and tried it with one simple web application. Well, what can I say... It works, and with this addon I can send a cross origin XHR with any value of Origin header. 
I have read couple of discussions in this mail list concerning security issues of CORS. AFAIU, the main point of CORS is to delegate security enforcement point from client browser(requestor of resource) to server (possessor of resource). The server decides whether to provide requested resource or not, and decision is based on the value of Origin header. And there is no way to check whether Origin header is fake or not. So my understanding is that only servers which allow requests from all origins or servers which completely forbid cross origin requests are in safe situation. All other ones are subjects to attacks, coming from same origin policy violation.Please, correct me if my understanding is inaccurate.
Best regardsMargarita Podskrobko


Received on Thursday, 2 June 2011 22:42:23 UTC