Can Set Arbitrary CORS Headers Using ORIGIN Header
It seems that setting an Origin Header using an arbitrary value (e.g: https://www.example.com) results in an Access-Control-Allow-Origin: https://www.example.com being set in the response. And it seems that there is no validation (e.g: using some kind of allow-list) of these headers.
Is that intentional?
Is that intentional?
