Is it correct that a request without "Origin" in header versus a CORS protected resource Access-Control-Allow-Origin set to a specific fqdn receive a correct 200 response?
I was expecting an error like when Origin is set to a different fqdn than the one allowed, while it works perfectly.
CORS protection is designed to prevent one website triggering activity on another website using your credentials, e.g. a script on A.com posting data to B.com via an AJAX request.
The Origin header is automatically set by the browser (and cannot be overridden) if a site triggers a request to a different domain*. This is checked against the 'Access-Control-Allow-Origin' header on the second site.
If you are directly accessing B.com in a browser then Origin will be blank because you are on the same site: CORS is not relevant. Manually setting an Origin header will mimic the restriction behaviour but it's not the normal scenario that CORS is designed to protect the user from.
*Certain types of request (such as loading images or scripts) are not blocked by CORS protection
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments