Update cors-bypass.md
grammar
This commit is contained in:
parent
f42f349adc
commit
a14105e3b2
@ -136,7 +136,7 @@ One notable exception is when the **victim's network location functions as a kin
|
||||
### Reflected `Origin` in `Access-Control-Allow-Origin`
|
||||
|
||||
In the real world this cannot happen as **these 2 values of the headers are forbidden together**.\
|
||||
It is also true that a lot of developers want to **allow several URLs in the CORS**, but subdomain wildcards or lists of URLs aren't allowed. Then, several developers **generates** the \*\*`Access-Control-Allow-Origin`\*\*header **dynamically**, and in more than one occasion they just **copy the value of the Origin header**.
|
||||
It is also true that a lot of developers want to **allow several URLs in the CORS**, but subdomain wildcards or lists of URLs aren't allowed. Then, several developers **generate** the \*\*`Access-Control-Allow-Origin`\*\*header **dynamically**, and in more than one occasion they just **copy the value of the Origin header**.
|
||||
|
||||
In that case, the **same vulnerability might be exploited.**
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user