Our security team identified that the web server accepts arbitrary origin request header. The application implements cross-origin resource sharing (CORS) policy for this request that allows access from any domain. We tried request with different origins (www.fakedomain.com) and it is accepted by server and valid response is sent back. (poc attached: “cors origin”)
Although, in our case
- Embedded Domain Allow list is empty, which we are assuming that it permits request only from our looker domain
- Same-Origin Protections for Looker Login Pages was enabled
still the security team was able to successfully request access from a different domain
please help us understand is there any additional steps to be followed to ensure that,
- request with different origins (www.fakedomain.com) , is not accepted by the server.