In this repository, we're trying to reproduce W-5919835, titled "CORS headers are misconfigured." That PSIRT issue describes how a web host, outside of a Force.com Site, can load resources that are stored on an authenticated Force.com Site.
Steps to reproduce:
- Verify that the image below is broken and does not load. You aren't authenticated with my site and shouldn't be able to load it.
- Click here and log into my authenticated Force.com Site. Username msenn-site@example.com, password applejack.
- Come back to this page.
- Verify that the image now does load. Attacking web pages would be able to load any static resource from an authenticated Force.com Site in this way, stealing customer metadata.
The stolen image should appear right here:
This attack works because of code in VisualforceDomainUtils. The getOriginForCORS method allows any domain name to be set as the Access-Control-Allow-Origin domain.
core.apexpages.framework.VisualforceDomainUtils.getOriginForCORS(HttpServletRequest)
Here is a working version of the image above. All I've done is upload this image to the org as a static resource named "cat".
