My understanding is that http headers can be spoofed but CORS policies are considered a legitimate security measure in term of trusting the origin of a request.
I’m inspecting the conn struct of a request made by my Phoenix application and trying to figure out how to think about a CORS policy.
I see the following:
- In headers map: “sec-fetch-site” => “same-origin”
- In req_headers: {“sec-fetch-site”, “same-origin”}
- In resp_headers: {“x-frame-options”, “SAMEORIGIN”} and {“cross-origin-window-policy”, “deny”}
- There are several places where a “host” or “referer” are referenced that have the URL of the request
I assume “host” and “referer” headers can’t be trusted?
Is the req_header of {“sec-fetch-site”, “same-origin”} what indicates that it’s a same-origin request (e.g., the browser sends that if it confirms it’s same-origin?). If so, I assume that can be trusted?
Is there anyway to get the URL of a request from a trusted header or is a same-origin marker the best that can be done?
It looks like there are a couple hex packages that deal with CORS but I was hoping to understand exactly how the request process here works with Phoenix (and better understand how CORS works).
Thanks in advance for any help on this!
