Our security team identified that the web server accepts arbitrary origin request header. The application implements cross-origin resource sharing (CORS) policy for this request that allows access from any domain. We tried request with different orig...