CORS requests can omit the preflight request – Opera Security Advisories




Cross-Origin Resource Sharing (CORS) requests are required to send a preflight request if custom headers are included, to check that the host wishes to allow the full request to be made. An example of where this may be needed is for sites that use a custom header with a static value as part of their protection against Cross Site Request Forgery (XSRF) attacks.


In some specific cases, Opera may forget to make the preflight request. This means that any site that uses a custom XMLHttpRequest header as their only protection against XSRF, can have that protection compromised by a specific type of CORS request in Opera. An attacking site could provide that same static header value, and bypass the preflight request, allowing it to submit the request to the target site without permission. In such cases, the HTTP Referer header is sent correctly, which may be used by the target site to detect the attack.


Opera’s Response

Opera Software has released Opera 12.13, where this issue has been fixed. Website authors are strongly encouraged to use more reliable XSRF protection techniques, such as sending a secret token in the form data for any HTTP requests (including XMLHttpRequest) that will initiate sensitive actions. These secret tokens can then be validated by the server-side code before performing the action.


Thanks to webpentest for reporting this issue to Opera Software.