Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How is CORS protecting the app?

Tags:

cors

I am having problems grasping the CORS concept...

The way I see it the same-origin-policy protects the app from making an ajax call to "untrusted domain". So, mydomain.com makes an ajax call to somedomain.com and the resource JSON/Script will not be retrieved.

I thought this is to protect the web app when some XSS vulnerability is discovered and someone puts that code using the tag into your page content and now can make ajax calls to other domains. - Am I right?

If I am right then CORS offers no protection because it's the server policy saying that if a request from mydomain.com comes to somedomain.com it should be allowed. Now, if I am attacking I would add my script and in my server I would set the CORS policy to allow those requests. From what I get CORS can totally bypass the same-origin-policy

:|

UPDATE:

Reading a bit more I found answers that claim that CORS is not to protect the mydomain.com app, but the somedomain.com. Let's say somedomain.com is your bank that offers APIs to make bank transfers. Bank would allow API calls coming from the browser that has their app loaded (the same domain). In their CORS policy they can say that the script coming from mydomain.com can call their API's. Note that client's browser can have the cookies for the bank set nad that opens the bank to the attack by scripts coming from mydomain.com

like image 639
luigi7up Avatar asked Oct 31 '22 12:10

luigi7up

1 Answers

CORS does not protect the app.

The Same Origin Policy protects the app by preventing other sites from using a logged in user's browser to read data from it.

CORS allows the server to give other sites permission to read that data (for when the information needs to be shared). i.e. CORS is how you say "Do not apply the Same Origin Policy here".

Now, if I am attacking I would add my script and in my server I would set the CORS policy to allow those requests.

No. The server hosting the data has to set CORS headers. You can't give your own script permission to read data from someone else's site.

XSS is an unrelated category of security vulnerabilities. CORS and the Same Origin Policy have nothing to do with them.

like image 65
Quentin Avatar answered Nov 08 '22 03:11

Quentin
Sign in to Comment

Related questions

Cross Origin Resource Sharing Headers not working only for safari
"WARNING: Can't verify CSRF token authenticity" error - CORS with Devise and :token_authenticatable
Attempting to access iframe contents (different subdomain); tried setting up CORS
CORS Headers appended to HTTP Response not Sent to Browser
CORS Headers Not Being Set
Instagram API from client side
MarkLogic HTTP Server: Set up CORS headers

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!