This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
User contributions
- 20:37, 25 February 2019 (diff | hist) . . (+235) . . Talk:Test Cross Origin Resource Sharing (OTG-CLIENT-007) (current)
- 20:34, 25 February 2019 (diff | hist) . . (+6) . . Talk:Test Cross Origin Resource Sharing (OTG-CLIENT-007)
- 20:34, 25 February 2019 (diff | hist) . . (+13) . . Talk:Test Cross Origin Resource Sharing (OTG-CLIENT-007)
- 20:33, 25 February 2019 (diff | hist) . . (+5) . . Talk:Test Cross Origin Resource Sharing (OTG-CLIENT-007)
- 20:33, 25 February 2019 (diff | hist) . . (+758) . . N Talk:Test Cross Origin Resource Sharing (OTG-CLIENT-007) (Created page with "I've removed the bad "Gray Box" examples as they are BOTH bad: Example 1 is not an example of an inherently insecure request. Allowing all origins is perfectly fine UNLESS yo...")
- 20:29, 25 February 2019 (diff | hist) . . (-157) . . Test Cross Origin Resource Sharing (OTG-CLIENT-007) (→Gray Box testing: Fix gray box description now that both horrible examples are removed.) (current) (Tag: Visual edit)
- 20:27, 25 February 2019 (diff | hist) . . (-2,389) . . Test Cross Origin Resource Sharing (OTG-CLIENT-007) (→Gray Box testing: That example was not a problem with CORS it was a problem with XSS. In that example CORS headers were coming from the ATTACKER's site. Bad, bad bad example. Should be deleted completely!!!) (Tag: Visual edit)
- 20:22, 25 February 2019 (diff | hist) . . (-851) . . Test Cross Origin Resource Sharing (OTG-CLIENT-007) (→Gray Box testing: This example is not insecure.) (Tag: Visual edit)
- 20:10, 25 February 2019 (diff | hist) . . (+171) . . Talk:CORS OriginHeaderScrutiny (current)
- 20:09, 25 February 2019 (diff | hist) . . (+505) . . Talk:CORS OriginHeaderScrutiny
- 20:05, 25 February 2019 (diff | hist) . . (-940) . . CORS OriginHeaderScrutiny (That's really all you need to know - don't trust the origin header, do your own authentication. Full stop. This additional rambling about having to manage users and passwords is muddying the waters, and isn't neces. true (not all auth is password auth)) (current) (Tag: Visual edit)
- 20:00, 25 February 2019 (diff | hist) . . (-7,966) . . CORS OriginHeaderScrutiny (Countermeasure B does not help AT ALL. Main recommendation here should be: Don't use the Origin header to validate the sender, as it is not reliable. Why are we recommending adding some overly-complicated mechanism that doesn't actually work?) (Tag: Visual edit)
- 19:49, 25 February 2019 (diff | hist) . . (+39) . . User:Collin Sauve (current) (Tag: Visual edit)
- 19:48, 25 February 2019 (diff | hist) . . (-45) . . Test Cross Origin Resource Sharing (OTG-CLIENT-007) (Echoing Origin back in Access-Control-Allow-Origin is only generally insecure when credentials are also allowed.) (Tag: Visual edit)