CORS implementation

  • 10 May 2022
  • 2 replies

Our security team identified that the web server accepts arbitrary origin request header. The application implements cross-origin resource sharing (CORS) policy for this request that allows access from any domain. We tried request with different origins ( and it is accepted by server and valid response is sent back.  (poc attached: “cors origin”)

Although, in our case

  1. Embedded Domain Allow list is empty, which we are  assuming that it permits request only from our looker domain 
  2. Same-Origin Protections for Looker Login Pages was enabled 

still the security team was able to successfully request access from a different domain

please help us understand is there any additional steps to be followed to ensure  that,

  1. request with different origins ( ,  is not accepted by the server.


This topic has been closed for comments

2 replies

Userlevel 2

Hi AnalystHOK


Were you able to execute a script ?



In the HTTP Header when parameter  “Origin:” was passed 
Web Server accepts arbitrary Origin Header and sends valid response code 200