The way I understand it, if a client-side script running on a page from foo.com wants to request data from bar.com, in the request it must specify the header Origin: http://foo.com
, and bar must respond with Access-Control-Allow-Origin: http://foo.com
.
What is there to stop malicious code from the site roh.com from simply spoofing the header Origin: http://foo.com
to request pages from bar?
Browsers are in control of setting the Origin
header, and users can't override this value. So you won't see the Origin
header spoofed from a browser. A malicious user could craft a curl request that manually sets the Origin
header, but this request would come from outside a browser, and may not have browser-specific info (such as cookies).
Remember: CORS is not security. Do not rely on CORS to secure your site. If you are serving protected data, use cookies or OAuth tokens or something other than the Origin
header to secure that data. The Access-Control-Allow-Origin
header in CORS only dictates which origins should be allowed to make cross-origin requests. Don't rely on it for anything more.