When comparing the origin of the "user/create" API request to the list of allowed origins, we realized that someone could spoof the origin by changing the header on their request and possibly make trouble. Is this a valid concern?
For a cross origin request, the spec does not allow the "Origin" header to be overriden by the developer, so you don't need to worry about this attack vector: http://www.w3.org/TR/cors/#source-origin-0
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
:jbuck - Perhaps I'm not understanding the terminology involved. Couldn't the client modify that part of the header before sending it to the server?
You need to log in before you can comment on or make changes to this bug.