Same-origin policy with local Host recordAccess-Control-Allow-Origin Multiple Origin Domains?Why doesn't adding CORS headers to an OPTIONS route allow browsers to access my API?How does Access-Control-Allow-Origin header work?Same origin Policy and CORS (Cross-origin resource sharing)Why does my JavaScript code get a “No 'Access-Control-Allow-Origin' header is present on the requested resource” error when Postman does not?Disable Spring Security for OPTIONS Http MethodUsefulness of Same Origin Policy with CORSsame-origin policy and CORS - what's the point?Why Same-origin policy isn't enough to prevent CSRF attacks?Same Origin Policy is browser restriction, is it secure on server-side?
How come having a Deathly Hallow is not a big deal?
Blood-based alcohol for vampires?
Isn't "Dave's protocol" good if only the database, and not the code, is leaked?
Can you use a reaction to affect initiative rolls?
Bootstrap paradox with a time machine in iron
SQL Server error 242 with ANSI datetime
List of Implementations for common OR problems
Should I cheat if the majority does it?
Should I hide my travel history to the UK when I apply for an Australian visa?
what is the meaning of "stock" dilution on the Massive Dev Chart Website?
Should I warn my boss I might take sick leave
Sleepy tired vs physically tired
How frequently do Russian people still refer to others by their patronymic (отчество)?
How to widen the page
Why would a propellor have blades of different lengths?
How is /a/ pronounced before n/m in French?
Are there advantages in writing by hand over typing out a story?
What is the right way to query an I2C device from an interrupt service routine?
What is a "tittering order"?
What can a novel do that film and TV cannot?
Which are more efficient in putting out wildfires: planes or helicopters?
Is it possible to spoof an IP address to an exact number?
Story about two rival crews terraforming a planet
When should we use dependency injection (C#)
Same-origin policy with local Host record
Access-Control-Allow-Origin Multiple Origin Domains?Why doesn't adding CORS headers to an OPTIONS route allow browsers to access my API?How does Access-Control-Allow-Origin header work?Same origin Policy and CORS (Cross-origin resource sharing)Why does my JavaScript code get a “No 'Access-Control-Allow-Origin' header is present on the requested resource” error when Postman does not?Disable Spring Security for OPTIONS Http MethodUsefulness of Same Origin Policy with CORSsame-origin policy and CORS - what's the point?Why Same-origin policy isn't enough to prevent CSRF attacks?Same Origin Policy is browser restriction, is it secure on server-side?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have a REST service that I want to secure with CORS. The client application is provided by domain.com and the REST service is domain.com/service.
The REST service filters out request depending on the origin header or an authentication token. This is the required behavior.
The problem is coming when the user insert a local DNS record(Host file in Windows) for domain.com and loads the malicious code from a local machine. In this case the browser will send the request with the Origin header set to domain.com. This will bypass the Origin check that we have in place. How can we handle this issue?
http cors same-origin-policy
asked Mar 25 at 17:45
Dimitar PavlovDimitar Pavlov
1902 silver badges9 bronze badges
add a comment |
I have a REST service that I want to secure with CORS. The client application is provided by domain.com and the REST service is domain.com/service.
The REST service filters out request depending on the origin header or an authentication token. This is the required behavior.
The problem is coming when the user insert a local DNS record(Host file in Windows) for domain.com and loads the malicious code from a local machine. In this case the browser will send the request with the Origin header set to domain.com. This will bypass the Origin check that we have in place. How can we handle this issue?
http cors same-origin-policy
asked Mar 25 at 17:45
Dimitar PavlovDimitar Pavlov
1902 silver badges9 bronze badges
add a comment |
I have a REST service that I want to secure with CORS. The client application is provided by domain.com and the REST service is domain.com/service.
The REST service filters out request depending on the origin header or an authentication token. This is the required behavior.
The problem is coming when the user insert a local DNS record(Host file in Windows) for domain.com and loads the malicious code from a local machine. In this case the browser will send the request with the Origin header set to domain.com. This will bypass the Origin check that we have in place. How can we handle this issue?
http cors same-origin-policy
asked Mar 25 at 17:45
Dimitar PavlovDimitar Pavlov
1902 silver badges9 bronze badges
I have a REST service that I want to secure with CORS. The client application is provided by domain.com and the REST service is domain.com/service.
The REST service filters out request depending on the origin header or an authentication token. This is the required behavior.
The problem is coming when the user insert a local DNS record(Host file in Windows) for domain.com and loads the malicious code from a local machine. In this case the browser will send the request with the Origin header set to domain.com. This will bypass the Origin check that we have in place. How can we handle this issue?
http cors same-origin-policy
http cors same-origin-policy
asked Mar 25 at 17:45
Dimitar PavlovDimitar Pavlov
1902 silver badges9 bronze badges
asked Mar 25 at 17:45
Dimitar PavlovDimitar Pavlov
1902 silver badges9 bronze badges
edited Mar 25 at 17:52
Dimitar Pavlov
asked Mar 25 at 17:45
Dimitar PavlovDimitar Pavlov
1902 silver badges9 bronze badges
asked Mar 25 at 17:45
Dimitar PavlovDimitar Pavlov
1902 silver badges9 bronze badges
asked Mar 25 at 17:45
Dimitar PavlovDimitar Pavlov
1902 silver badges9 bronze badges
1902 silver badges9 bronze badges
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55343720%2fsame-origin-policy-with-local-host-record%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Is this question similar to what you get asked at work? Learn more about asking and sharing private information with your coworkers using Stack Overflow for Teams.
Is this question similar to what you get asked at work? Learn more about asking and sharing private information with your coworkers using Stack Overflow for Teams.
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55343720%2fsame-origin-policy-with-local-host-record%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
