Controversy in OWASP CORS recommendations

Question

Controversy in OWASP CORS recommendations

I was puzzled to see this discrepancy on the OWASP site sheet for CORS:

Be especially careful when using Access-Control-Allow-Credentials: a true response header. The whitelist is allowed sources and never reflects the source request header in Access-Control-Allow-Origin.
Allow only selected trusted domains in the Access-Control-Allow-Origin header. Prefer whitelisted domains over the blacklist or allow any domain (either using * wildcard or repeating the contents of the Origin header ).

There is a lot of information that should reflect the heading of an Origin request, so I can’t think of a reason not to do this other than a public API where you would use the * wildcard. I want to say that if you whitelist the source domain as recommended here, then you can protect against Origin header forgery. Did I miss something? Is it just a typo on this sheet?

+4

cors owasp

occasl Aug 21 '13 at 19:41

source share

1 answer

monsur · Accepted Answer · 2013-08-21T19:59:49+0000

I think the second recommendation is poorly worded. They both say you should avoid repeating the Origin header. "Countdown", I think, they imply the blind value of the Origin header in the Access-Control-Allow-Origin header without any intermediate checks (such as whitelisting). Also note that these are recommendations, not absolute rules, and should be interpreted through the lens of your needs. The more open and public the API, the more acceptable the * value.

Controversy in OWASP CORS recommendations

More articles: