OpenShift Container Platform (OCP) 3.11 was too permissive in the way it specified CORS allowed origins during installation. An attacker able to man-in-the-middle the connection between the user's browser and the openshift console could use this flaw to perform a phishing attack.
Ensure that the corsAllowedOrigin definition within master-config.yaml contains elements in the form
and not the form
as the first will permit cross origin requests only if the host and protocol matches, whereas the second will permit a downgrade to http protocol for example.
Filed a bug to get the documentation updated: