# Errors parsing Origin headers Some applications that support access from multiple origins do so by using a whitelist of allowed origins. When a CORS request is received, the supplied origin is compared to the whitelist. **If the origin appears on the whitelist then it is reflected in the Access-Control-Allow-Origin header so that access is granted.** Mistakes often arise when implementing CORS origin whitelists. Some organizations decide to allow access from all their subdomains (including future subdomains not yet in existence). And some applications allow access from various other organizations' domains including their subdomains. These rules are often implemented by **matching URL prefixes or suffixes, or using regular expressions**. Any mistakes in the implementation can lead to access being granted to unintended external domains. For example, suppose an application grants access to all domains ending in: ``` normal-website.com ``` An attacker might be able to gain access by registering the domain: ``` hackersnormal-website.com ``` Alternatively, suppose an application grants access to all domains beginning with ``` normal-website.com ``` An attacker might be able to gain access using the domain: ``` normal-website.com.evil-user.net ``` *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.nomanaziz.me/cybersecurity/penetration-testing/portswigger/cross-origin-resource-sharing-cors/vulnerabilities-arising-from-misconfigurations/errors-parsing-origin-headers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.