Possible vulnerability when checking origin on user/create API call

RESOLVED INVALID

Status

Webmaker
Login
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: sedge, Unassigned)

Tracking

Details

(Reporter)

Description

5 years ago
When comparing the origin of the "user/create" API request to the list of allowed origins, we realized that someone could spoof the origin by changing the header on their request and possibly make trouble.

Is this a valid concern?
Flags: needinfo?(jon)
Flags: needinfo?(david.humphrey)

Comment 1

5 years ago
For a cross origin request, the spec does not allow the "Origin" header to be overriden by the developer, so you don't need to worry about this attack vector: http://www.w3.org/TR/cors/#source-origin-0
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(jon)
Flags: needinfo?(david.humphrey)
Resolution: --- → INVALID
(Reporter)

Comment 2

5 years ago
:jbuck - Perhaps I'm not understanding the terminology involved.  Couldn't the client modify that part of the header before sending it to the server?
You need to log in before you can comment on or make changes to this bug.