How Secure Is Http_Origin

CORS Protection: What is the point of HTTP_ORIGIN

After reading some questions on here, it is my understanding that most browsers don't even send the HTTP_ORIGIN header

Well, that's not true. Anything supporting CORS supports sending the Origin request header.

because you've got to then put the Allow-Origin as an asterisk to allow multiple domains to call it

No, that's also not true. Your server can respond differently, based on different origins.

For example, if a request comes in with Origin: a.example.com, then you can respond with Access-Control-Allow-Origin: a.example.com.

If a request comes in with Origin: b.example.com, you respond Access-Control-Allow-Origin: b.example.com.

We all know by now - do not trust whatever a browser sends you as it can easily be faked, so why was this ever even considered to be implemented?

CORS is not for protecting server resources. It's for isolating client access.

As you know, web pages can include data from multiple origins. We do this all the time with images, scripts, etc. However, this only allows for us to see content from multiple origins. It doesn't allow the scripts from multiple origins to see each other's data.

Suppose that wasn't the case... and that you could make cross-domain AJAX requests. Suppose I have a popular blog on investment advice. I know that people reading my blog also probably logged into their brokerage site recently. I could rig a script on my blog site that fires off AJAX requests to the brokerage site to make trades. The reason is that instead of the user making the request, now I'm making the request... but with their cookies. I can impersonate them without them even knowing! Scary stuff.

In a more common example, a lot of home routers have admin panels with the default credentials. A lot of these routers also don't use the proper HTTP verbs... so a GET request can be used to do things like open up ports. These routers are still doomed as I can make a GET request with a simple image tag. Something like this:

<img src="http://192.168.1.1/firewall/?action=openPort&port=22" />

(Of course the "image" will fail to load, but the browser will have made the request and the router will have complied with it.)

If the router used the correct verbs such as PUT or POST, it wouldn't be possible to make this change with a simple image tag. But without CORS, a page could make an AJAX request with a PUT or POST, taking control of your home router without you knowing! Basically, using your machine as a place to run privileged scripts.

Preventing cross-origin access to resources in this way helps keep your privileged access safe.

Security for cross-origin resource sharing

Origin is one of several header fields that cannot be set for a XHR request by page authors. So you’re safe to trust the Origin information of XHR requests.

But it is still possible for an attacker to send forged requests with malicious data directly. So you’re still required to validate incoming requests.

how does this protect against csrf attacks?

This does not protect against CSRF attacks at all, because you are allowing all origins! It is the same writing as

Access-Control-Allow-Origin: *

You should create a list of acceptations like below, which ensures only those in the list are granted for CORS.

Scheme, Domain and Port are the important information to compare against. Port can be omitted, when defaults are to be used like http=80 and https=443.

if(in_array($this->request->server['HTTP_ORIGIN'], [
    'http://xxx-domain.org',
    'https://example.org',
    'http://localhost:8888',
])) {
    $this->response->addHeader("Access-Control-Allow-Origin: {$this->request->server['HTTP_ORIGIN']}");
    $this->response->addHeader('Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS');
    $this->response->addHeader('Access-Control-Max-Age: 1000');
    $this->response->addHeader('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With');
}

---

Related Topics