Published 2021-03-20.
Time to read: 4 minutes.
Many have tried to explain CORS, but most have not provided a clear explanation. I am going to try, then I will refer to explanations by others, who also provide examples.
Origin and Origin Server
A website is delivered to web browsers from an origin server, or origin for short. The origin server is principally responsible for generating web pages.
An origin is a combination of 3 things:
- A scheme (
http
,https
, etc.) - A (sub)domain, for example
localhost
,blah.com
orassets.blah.com
. - A port, for example 80, 443, 8000, etc.
All three things must match in order for two URLs to be considered to be from the same origin. For example:
URL 1 | URL 2 | Same Origin? |
---|---|---|
http://blah.com | https://blah.com | No |
https://blah.com | https://assets.blah.com | No |
https://blah.com | https://blah.com/path/page.html | Yes |
Content Server
In this article, I use the term content server to refer to sources of online information other than the origin server. Resources referenced by a web page, such as images, JavaScript, CSS, and data might be provided by the origin server, or they might come from a content server.
Because every server has by definition a different origin, content servers always have a different origin than the origin server. Static resources (resources that do not change) are often served by content delivery networks (CDNs), which are also content servers.
The Cross-Origin Resource Sharing (CORS) standard controls if a web page can load resources from content servers. Content servers are in charge of their content; they decide which origin servers they wish to co-operate with. When CORS support is properly configured, content servers include HTTP headers into their responses that tell a web browser if those resources may be read by the web page being constructed.
Data is a special type of resource. CORS restricts how data is exchanged between the web page delivered to the web browser from the origin server and content servers. In particular, JSON and XML data communicated to and from content servers requires CORS authorization. Furthermore, requests (from the web browser) that send JSON, XML and other data formats to content servers also require CORS authorization.
Content-Type Header
The Content-Type
header is used to indicate the media type
of the resource. The old name MIME type has been replaced by media type. Here is a list of media types.
Media types with names that start with application
require CORS authentication if they are delivered from content servers, for example application/json
and application/javascript
.
As well, a few media types with names that start with text
require CORS authentication if they are delivered from content servers, for example text/xml
and text/xml-external-parsed-entity
.
Further Reading
Mariko Kosaka
Mariko Kosaka has written an easy-to-understand article describing CORS, and provides a simple but effective working Express website for demonstration.
– Mariko Kosaka
Derric Gilling and MDN
Derric Gilling has written a more in-depth yet very approachable article describing CORS. I've paraphrased his quoting of the Mozilla Developer Network documentation into the following:
Any CORS request has to be preflighted if:
- It uses methods other than
GET
,HEAD
orPOST
. - If POST is used to send request data with a
Content-Type
other thanapplication/x-www-form-urlencoded
,multipart/form-data
, ortext/plain
. Examples:- A
POST
request sends an XML payload to the server; this requires theContent-Type
header is set either toapplication/xml
ortext/xml
. - A website makes an AJAX call that
POST
s JSON data to a REST API, this requires theContent-Type
header is set toapplication/json
.
- A
– Mozilla Developer Network
Preflight Requests
CORS preflight requests effectively double the latency of user requests for CRUD actions. Client-side and server-side caching can help reduce this overhead for many circumstances. In another blog post I discuss how to use a CDN with multiple origin servers to completely eliminate the need for preflight requests.
For additional background, please see:
- CloudFront reverse proxy API Gateway to prevent CORS by Rehan van der Merwe
- Cache your CORS, for performance & profit by Tim Perry
KeyCDN
KeyCDN has an even more in-depth yet still very approachable article describing CORS.
CORScanner
CORScanner is a popular tool for detecting CORS misconfiguration. It is a Python module that can be executed as a shell command. Install CORScanner like this:
$ pip install cors
The above adds a new executable called cors
in the same directory where your python
command resides.
The cors
documentation conflates the words URL and origin. Everywhere the word URL
appears in the documentation, the word origin
should be assumed.
Example: Check Domain
Use the -u
option to specify an origin to test:
$ cors -u api.github.com Starting CORS scan... Finished CORS scanning...
To enable more debug info, use the -v
option more than once. We can see that specifying https
restricts testing to that scheme
.
$ cors -vv -u https://api.github.com Starting CORS scan... 2021-03-21 09:55:58 INFO Start checking reflect_origin for https://api.github.com 2021-03-21 09:55:58 INFO nothing found for {url: https://api.github.com, origin: https://evil.com, type: reflect_origin} 2021-03-21 09:55:58 INFO Start checking prefix_match for https://api.github.com 2021-03-21 09:55:58 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com.evil.com, type: prefix_match} 2021-03-21 09:55:58 INFO Start checking suffix_match for https://api.github.com 2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://evilgithub.com, type: suffix_match} 2021-03-21 09:55:59 INFO Start checking trust_null for https://api.github.com 2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: null, type: trust_null} 2021-03-21 09:55:59 INFO Start checking include_match for https://api.github.com 2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://ithub.com, type: include_match} 2021-03-21 09:55:59 INFO Start checking not_escape_dot for https://api.github.com 2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://api.githubacom, type: not_escape_dot} 2021-03-21 09:55:59 INFO Start checking custom_third_parties for https://api.github.com 2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://whatever.github.io, type: custom_third_parties} 2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: http://jsbin.com, type: custom_third_parties} 2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://codepen.io, type: custom_third_parties} 2021-03-21 09:55:59 INFO nothing found for {url: https://api.github.com, origin: https://jsfiddle.net, type: custom_third_parties} 2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: http://www.webdevout.net, type: custom_third_parties} 2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://repl.it, type: custom_third_parties} 2021-03-21 09:56:00 INFO Start checking special_characters_bypass for https://api.github.com 2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com_.evil.com, type: special_characters_bypass} 2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com-.evil.com, type: special_characters_bypass} 2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com".evil.com, type: special_characters_bypass} 2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com{.evil.com, type: special_characters_bypass} 2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com}.evil.com, type: special_characters_bypass} 2021-03-21 09:56:00 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass} 2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com^.evil.com, type: special_characters_bypass} 2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%60.evil.com, type: special_characters_bypass} 2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com!.evil.com, type: special_characters_bypass} 2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com~.evil.com, type: special_characters_bypass} 2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com`.evil.com, type: special_characters_bypass} 2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com;.evil.com, type: special_characters_bypass} 2021-03-21 09:56:01 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com|.evil.com, type: special_characters_bypass} 2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com&.evil.com, type: special_characters_bypass} 2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com'.evil.com, type: special_characters_bypass} 2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com(.evil.com, type: special_characters_bypass} 2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com).evil.com, type: special_characters_bypass} 2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com*.evil.com, type: special_characters_bypass} 2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com,.evil.com, type: special_characters_bypass} 2021-03-21 09:56:02 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com$.evil.com, type: special_characters_bypass} 2021-03-21 09:56:03 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com=.evil.com, type: special_characters_bypass} 2021-03-21 09:56:03 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass} 2021-03-21 09:56:03 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%0b.evil.com, type: special_characters_bypass} 2021-03-21 09:56:03 INFO Start checking trust_any_subdomain for https://api.github.com 2021-03-21 09:56:03 INFO nothing found for {url: https://api.github.com, origin: https://evil.api.github.com, type: trust_any_subdomain} 2021-03-21 09:56:03 INFO Start checking https_trust_http for https://api.github.com 2021-03-21 09:56:03 INFO nothing found for {url: https://api.github.com, origin: http://api.github.com, type: https_trust_http} Finished CORS scanning...
Example: Check Origin
To check CORS misconfigurations of an origin:
$ cors -vvu https://api.github.com/users/mslinn/repos Starting CORS scan... 2021-03-21 10:08:49 INFO Start checking reflect_origin for https://api.github.com 2021-03-21 10:08:49 INFO nothing found for {url: https://api.github.com, origin: https://evil.com, type: reflect_origin} 2021-03-21 10:08:49 INFO Start checking prefix_match for https://api.github.com 2021-03-21 10:08:49 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com.evil.com, type: prefix_match} 2021-03-21 10:08:49 INFO Start checking suffix_match for https://api.github.com 2021-03-21 10:08:49 INFO nothing found for {url: https://api.github.com, origin: https://evilgithub.com, type: suffix_match} 2021-03-21 10:08:49 INFO Start checking trust_null for https://api.github.com 2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: null, type: trust_null} 2021-03-21 10:08:50 INFO Start checking include_match for https://api.github.com 2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: https://ithub.com, type: include_match} 2021-03-21 10:08:50 INFO Start checking not_escape_dot for https://api.github.com 2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: https://api.githubacom, type: not_escape_dot} 2021-03-21 10:08:50 INFO Start checking custom_third_parties for https://api.github.com 2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: https://whatever.github.io, type: custom_third_parties} 2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: http://jsbin.com, type: custom_third_parties} 2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: https://codepen.io, type: custom_third_parties} 2021-03-21 10:08:50 INFO nothing found for {url: https://api.github.com, origin: https://jsfiddle.net, type: custom_third_parties} 2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: http://www.webdevout.net, type: custom_third_parties} 2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://repl.it, type: custom_third_parties} 2021-03-21 10:08:51 INFO Start checking special_characters_bypass for https://api.github.com 2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com_.evil.com, type: special_characters_bypass} 2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com-.evil.com, type: special_characters_bypass} 2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com".evil.com, type: special_characters_bypass} 2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com{.evil.com, type: special_characters_bypass} 2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com}.evil.com, type: special_characters_bypass} 2021-03-21 10:08:51 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass} 2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com^.evil.com, type: special_characters_bypass} 2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%60.evil.com, type: special_characters_bypass} 2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com!.evil.com, type: special_characters_bypass} 2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com~.evil.com, type: special_characters_bypass} 2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com`.evil.com, type: special_characters_bypass} 2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com;.evil.com, type: special_characters_bypass} 2021-03-21 10:08:52 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com|.evil.com, type: special_characters_bypass} 2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com&.evil.com, type: special_characters_bypass} 2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com'.evil.com, type: special_characters_bypass} 2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com(.evil.com, type: special_characters_bypass} 2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com).evil.com, type: special_characters_bypass} 2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com*.evil.com, type: special_characters_bypass} 2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com,.evil.com, type: special_characters_bypass} 2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com$.evil.com, type: special_characters_bypass} 2021-03-21 10:08:53 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com=.evil.com, type: special_characters_bypass} 2021-03-21 10:08:54 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass} 2021-03-21 10:08:54 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%0b.evil.com, type: special_characters_bypass} 2021-03-21 10:08:54 INFO Start checking trust_any_subdomain for https://api.github.com 2021-03-21 10:08:54 INFO nothing found for {url: https://api.github.com, origin: https://evil.api.github.com, type: trust_any_subdomain} 2021-03-21 10:08:54 INFO Start checking https_trust_http for https://api.github.com 2021-03-21 10:08:54 INFO nothing found for {url: https://api.github.com, origin: http://api.github.com, type: https_trust_http} Finished CORS scanning...
If a scheme
is not specified, then both http
and https
are tested:
$ cors -vvu api.github.com/users/mslinn/repos Starting CORS scan... 2021-03-21 10:03:30 INFO Start checking reflect_origin for http://api.github.com 2021-03-21 10:03:30 INFO Start checking reflect_origin for https://api.github.com 2021-03-21 10:03:30 INFO nothing found for {url: https://api.github.com, origin: https://evil.com, type: reflect_origin}2021-03-21 10:03:30 INFO Start checking prefix_match for https://api.github.com 2021-03-21 10:03:30 INFO nothing found for {url: http://api.github.com, origin: http://evil.com, type: reflect_origin} 2021-03-21 10:03:30 INFO Start checking prefix_match for http://api.github.com 2021-03-21 10:03:30 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com.evil.com, type: prefix_match} 2021-03-21 10:03:30 INFO Start checking suffix_match for https://api.github.com 2021-03-21 10:03:30 INFO nothing found for {url: https://api.github.com, origin: https://evilgithub.com, type: suffix_match} 2021-03-21 10:03:30 INFO Start checking trust_null for https://api.github.com 2021-03-21 10:03:30 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com.evil.com, type: prefix_match} 2021-03-21 10:03:30 INFO Start checking suffix_match for http://api.github.com 2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: null, type: trust_null} 2021-03-21 10:03:31 INFO Start checking include_match for https://api.github.com 2021-03-21 10:03:31 INFO nothing found for {url: http://api.github.com, origin: http://evilgithub.com, type: suffix_match} 2021-03-21 10:03:31 INFO Start checking trust_null for http://api.github.com 2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: https://ithub.com, type: include_match}2021-03-21 10:03:31 INFO Start checking not_escape_dot for https://api.github.com 2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: https://api.githubacom, type: not_escape_dot} 2021-03-21 10:03:31 INFO Start checking custom_third_parties for https://api.github.com 2021-03-21 10:03:31 INFO nothing found for {url: http://api.github.com, origin: null, type: trust_null} 2021-03-21 10:03:31 INFO Start checking include_match for http://api.github.com 2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: https://whatever.github.io, type: custom_third_parties} 2021-03-21 10:03:31 INFO nothing found for {url: http://api.github.com, origin: http://ithub.com, type: include_match} 2021-03-21 10:03:31 INFO Start checking not_escape_dot for http://api.github.com 2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: http://jsbin.com, type: custom_third_parties} 2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: https://codepen.io, type: custom_third_parties} 2021-03-21 10:03:31 INFO nothing found for {url: http://api.github.com, origin: http://api.githubacom, type: not_escape_dot} 2021-03-21 10:03:31 INFO Start checking custom_third_parties for http://api.github.com 2021-03-21 10:03:31 INFO nothing found for {url: https://api.github.com, origin: https://jsfiddle.net, type: custom_third_parties} 2021-03-21 10:03:32 INFO nothing found for {url: http://api.github.com, origin: https://whatever.github.io, type: custom_third_parties} 2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: http://www.webdevout.net, type: custom_third_parties} 2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://repl.it, type: custom_third_parties} 2021-03-21 10:03:32 INFO Start checking special_characters_bypass for https://api.github.com 2021-03-21 10:03:32 INFO nothing found for {url: http://api.github.com, origin: http://jsbin.com, type: custom_third_parties} 2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com_.evil.com, type: special_characters_bypass} 2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com-.evil.com, type: special_characters_bypass} 2021-03-21 10:03:32 INFO nothing found for {url: http://api.github.com, origin: https://codepen.io, type: custom_third_parties} 2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com".evil.com, type: special_characters_bypass} 2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com{.evil.com, type: special_characters_bypass} 2021-03-21 10:03:32 INFO nothing found for {url: http://api.github.com, origin: https://jsfiddle.net, type: custom_third_parties} 2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com}.evil.com, type: special_characters_bypass} 2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass} 2021-03-21 10:03:32 INFO nothing found for {url: http://api.github.com, origin: http://www.webdevout.net, type: custom_third_parties} 2021-03-21 10:03:32 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com^.evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: http://api.github.com, origin: https://repl.it, type: custom_third_parties} 2021-03-21 10:03:33 INFO Start checking special_characters_bypass for http://api.github.com 2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%60.evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com!.evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com_.evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com~.evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com`.evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com-.evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com;.evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com".evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com|.evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com&.evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com{.evil.com, type: special_characters_bypass} 2021-03-21 10:03:33 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com&qpos;.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com(.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com}.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com).evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com+.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com*.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com,.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com^.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com$.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com=.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com%60.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com+.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com!.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO nothing found for {url: https://api.github.com, origin: https://api.github.com%0b.evil.com, type: special_characters_bypass} 2021-03-21 10:03:34 INFO Start checking trust_any_subdomain for https://api.github.com 2021-03-21 10:03:35 INFO nothing found for {url: https://api.github.com, origin: https://evil.api.github.com, type: trust_any_subdomain} 2021-03-21 10:03:35 INFO Start checking https_trust_http for https://api.github.com 2021-03-21 10:03:35 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com~.evil.com, type: special_characters_bypass} 2021-03-21 10:03:35 INFO nothing found for {url: https://api.github.com, origin: http://api.github.com, type: https_trust_http} 2021-03-21 10:03:35 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com`.evil.com, type: special_characters_bypass} 2021-03-21 10:03:35 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com;.evil.com, type: special_characters_bypass} 2021-03-21 10:03:35 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com|.evil.com, type: special_characters_bypass} 2021-03-21 10:03:35 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com&.evil.com, type: special_characters_bypass} 2021-03-21 10:03:36 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com'.evil.com, type: special_characters_bypass} 2021-03-21 10:03:36 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com(.evil.com, type: special_characters_bypass} 2021-03-21 10:03:36 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com).evil.com, type: special_characters_bypass} 2021-03-21 10:03:36 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com*.evil.com, type: special_characters_bypass} 2021-03-21 10:03:37 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com,.evil.com, type: special_characters_bypass} 2021-03-21 10:03:38 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com$.evil.com, type: special_characters_bypass} 2021-03-21 10:03:38 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com=.evil.com, type: special_characters_bypass} 2021-03-21 10:03:38 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com+.evil.com, type: special_characters_bypass} 2021-03-21 10:03:38 INFO nothing found for {url: http://api.github.com, origin: http://api.github.com%0b.evil.com, type: special_characters_bypass} 2021-03-21 10:03:38 INFO Start checking trust_any_subdomain for http://api.github.com 2021-03-21 10:03:39 INFO nothing found for {url: http://api.github.com, origin: http://evil.api.github.com, type: trust_any_subdomain} Finished CORS scanning...