CORS and Plug - What header data can be trusted?

My understanding is that http headers can be spoofed but CORS policies are considered a legitimate security measure in term of trusting the origin of a request.

I’m inspecting the conn struct of a request made by my Phoenix application and trying to figure out how to think about a CORS policy.

I see the following:

  • In headers map: “sec-fetch-site” => “same-origin”
  • In req_headers: {“sec-fetch-site”, “same-origin”}
  • In resp_headers: {“x-frame-options”, “SAMEORIGIN”} and {“cross-origin-window-policy”, “deny”}
  • There are several places where a “host” or “referer” are referenced that have the URL of the request

I assume “host” and “referer” headers can’t be trusted?

Is the req_header of {“sec-fetch-site”, “same-origin”} what indicates that it’s a same-origin request (e.g., the browser sends that if it confirms it’s same-origin?). If so, I assume that can be trusted?

Is there anyway to get the URL of a request from a trusted header or is a same-origin marker the best that can be done?

It looks like there are a couple hex packages that deal with CORS but I was hoping to understand exactly how the request process here works with Phoenix (and better understand how CORS works).

Thanks in advance for any help on this!

I think no headers, including origin, can be trusted; you can trust your own credentials (like cookies). I just return whatever origin presented in the incoming requests (to make browser happy) and check cookies using normal authentication practices.

If the cookie was stolen then is is not the server side’s fault anyway.