Is it possible to somehow falsify the data in the Origin header? The question is asked for the purpose of protection.

GET /ttt HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Origin: http://webru.ru Sec-WebSocket-Key: 32f2f2f2342r23 Sec-WebSocket-Version: 13

    2 answers 2

    You cannot change the header to origin , but you can modify the requests for the header through extensions using WebRequest .

    • That is, it is possible to forge a request and it will be valid? - Yuri Svetlov
    • @Yuriy Svetlov yes, it will be valid. - user192664
    • It turns out there is no way to check where the connection came from? Hmm ... Strange protocol, everywhere they write that protected. - Yuri Svetlov
    • @YuriSvetlov You do not change the protocol itself, but change the requests - user192664
    • What does it mean? That everything is in order and nothing can not be faked? You just wrote you can fake requests. Or I did not understand you. But anyway, thanks. - Yuri Svetlov

    You do not need to think about whether you can fake Origin, instead you should check whether Origin is suitable or not and return the desired Access-Control-Allow-Origin. With the correct Access-Control-Allow-Origin, a cross-domain attack is impossible.