I've done some testing and have been able to fairly simply bypass this domain restriction using a local webserver and modifying the hosts file.
------------------------------
Vaun McCarthy
------------------------------
Original Message:
Sent: 03-09-2023 16:49
From: Angelo Cicchitto
Subject: How is domain restriction enforced for things like messenger deployments?
Browsers do not allow JavaScript to manipulate or tamper with that header, access is forbidden.
------------------------------
Angelo Cicchitto
Genesys - Employees
Original Message:
Sent: 03-09-2023 16:14
From: Vaun McCarthy
Subject: How is domain restriction enforced for things like messenger deployments?
Thanks Angelo, so someone could theoretically spoof that header to bypass the domain restriction?
------------------------------
Vaun McCarthy
Original Message:
Sent: 03-09-2023 15:50
From: Angelo Cicchitto
Subject: How is domain restriction enforced for things like messenger deployments?
Hi Vaun - backend check happens based on Origin header from incoming HTTP request.
------------------------------
Angelo Cicchitto
Genesys - Employees
Original Message:
Sent: 03-09-2023 14:23
From: Vaun McCarthy
Subject: How is domain restriction enforced for things like messenger deployments?
Hi everybody
Can anybody tell me how exactly domain restriction is enforced when setting something like a messenger deployment to only be accessible from certain domains? Does it look for something in the headers or something else more intelligent?
#ArchitectureandDesign
#Security
------------------------------
Vaun McCarthy
------------------------------