Can Set Arbitrary CORS Headers Using ORIGIN Header
It seems that setting an Origin Header using an arbitrary value (e.g: https://www.example.com) results in an Access-Control-Allow-Origin: https://www.example.com being set in the response. And it seems that there is no validation (e.g: using some kind of allow-list) of these headers.
Is that intentional?
4 Replies
Hello Zitadel Team,
Can someone tell me more about this, or point out docs/open issues/etc where I can find out more about this?
hey @mmianl aplogies for the delay, can you please describe your issue a bit more?. which request/response are you talking about?
Thanks
Sure. You can take a look at the screenshot. It shows that the Access-Control-Allow-Origin header in the response mirrors the value that I passed in the Origin header, and this value is not filtered by any allow list or similar.
Is this intentionally so permissive? Is this worrying from a security point of view?
hey @mmianl you can read more about it here https://github.com/zitadel/zitadel/discussions/8951#discussioncomment-11381177
The OIDC endpoints are configured to allow all origins by design