This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:CORS OriginHeaderScrutiny"
(request for clarification of some statements) |
Collin Sauve (talk | contribs) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 2: | Line 2: | ||
I don't understand what this is trying to say - "It's the browser (or others tools) that send the HTTP request then the IP address that we have access to is the client IP address" | I don't understand what this is trying to say - "It's the browser (or others tools) that send the HTTP request then the IP address that we have access to is the client IP address" | ||
| + | |||
| + | -- | ||
| + | |||
| + | The original state of this article was mostly nonsense and I'm not surprised it had been "flagged for review". The correct recommendation can be summarized as: | ||
| + | * Don't trust the Origin header | ||
| + | * Do your own authentication | ||
| + | |||
| + | All that stuff about trying to guess if the Origin header can be trusted was not only overly-complicated but is bad in practice. You can never trust the Origin header. Ever. Everything in an HTTP request can be crafted to say anything outside of a browser. The recommendations that existed here were essentially "make sure they fake it well". | ||
| + | |||
| + | [[User:Collin Sauve|Collin Sauve]] ([[User talk:Collin Sauve|talk]]) 14:09, 25 February 2019 (CST) | ||
Latest revision as of 20:10, 25 February 2019
what does "protract allowed domain guessing" mean?
I don't understand what this is trying to say - "It's the browser (or others tools) that send the HTTP request then the IP address that we have access to is the client IP address"
--
The original state of this article was mostly nonsense and I'm not surprised it had been "flagged for review". The correct recommendation can be summarized as:
- Don't trust the Origin header
- Do your own authentication
All that stuff about trying to guess if the Origin header can be trusted was not only overly-complicated but is bad in practice. You can never trust the Origin header. Ever. Everything in an HTTP request can be crafted to say anything outside of a browser. The recommendations that existed here were essentially "make sure they fake it well".
Collin Sauve (talk) 14:09, 25 February 2019 (CST)
