An application I'm working on responds to a wildcard Origin header by setting the Access-Control-Allow-Origin
to subdomain.app.com
if ending with .app.com
.
However, if I append .app.com
to a GET variable, as below:
Origin: example.com?q=.app.com
it responds with the following:
Access-Control-Allow-Origin: example.com?q=.app.com
This is vulnerable if browsers can be configured to pass the GET variable, or entire url.
I'm wondering if any browsers send the Origin
header along with the entire url, or if JavaScript can be configured to allow this. From my testing Chrome / Firefox set the Origin header to the tld only, does anyone know if this configuration is vulnerable?