Tests verifying the soundness of the Access-Control-Allow-Origin header
*
) to allow multiple origins while at the
same time allowing authenticated requests. This is why many implementations create dynamic
responses based on the Origin
header. If an endpoint blindly allows all origins
while at the same time allowing authenticated requests, either the resource should not require
authentication or it is too sensible to be shared across origin boundaries. This test case
blindly replays the Origin
header in the Access-Control-Allow-Origin
header.
null
origin in an Access-Control-Allow-Origin
header is
equivalent to allowing every origin. Combined with allowing authenticated requests, the same
concerns as with insecure dynamic header generation apply.