Closed
Bug 862486
Opened 11 years ago
Closed 11 years ago
Possible vulnerability when checking origin on user/create API call
Categories
(Webmaker Graveyard :: Login, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: sedge, Unassigned)
Details
When comparing the origin of the "user/create" API request to the list of allowed origins, we realized that someone could spoof the origin by changing the header on their request and possibly make trouble. Is this a valid concern?
Flags: needinfo?(jon)
Flags: needinfo?(david.humphrey)
Comment 1•11 years ago
|
||
For a cross origin request, the spec does not allow the "Origin" header to be overriden by the developer, so you don't need to worry about this attack vector: http://www.w3.org/TR/cors/#source-origin-0
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(jon)
Flags: needinfo?(david.humphrey)
Resolution: --- → INVALID
Reporter | ||
Comment 2•11 years ago
|
||
:jbuck - Perhaps I'm not understanding the terminology involved. Couldn't the client modify that part of the header before sending it to the server?
You need to log in
before you can comment on or make changes to this bug.
Description
•