This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:CORS OriginHeaderScrutiny

From OWASP
Revision as of 20:09, 25 February 2019 by Collin Sauve (talk | contribs)

Jump to: navigation, search

what does "protract allowed domain guessing" mean?

I don't understand what this is trying to say - "It's the browser (or others tools) that send the HTTP request then the IP address that we have access to is the client IP address"

--

The original state of this article was mostly nonsense and I'm not surprised it had been "flagged for review". The correct recommendation can be summarized as:

  • Don't trust the Origin header
  • Do your own authentication

All that stuff about trying to guess if the Origin header can be trusted was not only overly-complicated but is bad in practice. You can never trust the Origin header. Ever.

Collin Sauve (talk) 14:09, 25 February 2019 (CST)