Fiddler Ideas

The free web debugging proxy for any browser, system or platform.

Lint Access-Control-Allow-Origin header

A site might have an Access-Control-Allow-Origin response header with value (e.g. *; this is illegal, as the only valid values are either * or a specific origin (e.g. Fiddler should test for this mistake in two places:

1. It should be a new LINT test that looks for a value for this header which is not a legal origin.

2. The existing SecurityHeaders computed field in the Miscellaneous values ( should warn (using ! ) if the field value is invalid.

If testing for a legal origin proves too hard (e.g. I'd just use a .NET URI object and TryParse the string from it, if that fails and the input isn't literally "*" then the value is illegal), then as an approximation we could test to see whether the field contains any non-prefix/suffix whitespace (if so, invalid) and check that if it contains * then it contains no other characters (if so, invalid)

  • Eric Lawrence
  • Oct 10 2016
  • Under review
  • Attach files