I am having problems grasping the CORS concept...
The way I see it the same-origin-policy protects the app from making an ajax call to "untrusted domain". So, mydomain.com makes an ajax call to somedomain.com and the resource JSON/Script will not be retrieved.
I thought this is to protect the web app when some XSS vulnerability is discovered and someone puts that code using the tag into your page content and now can make ajax calls to other domains. - Am I right?
If I am right then CORS offers no protection because it's the server policy saying that if a request from mydomain.com comes to somedomain.com it should be allowed. Now, if I am attacking I would add my script and in my server I would set the CORS policy to allow those requests. From what I get CORS can totally bypass the same-origin-policy
:|
UPDATE:
Reading a bit more I found answers that claim that CORS is not to protect the mydomain.com app, but the somedomain.com. Let's say somedomain.com is your bank that offers APIs to make bank transfers. Bank would allow API calls coming from the browser that has their app loaded (the same domain). In their CORS policy they can say that the script coming from mydomain.com can call their API's. Note that client's browser can have the cookies for the bank set nad that opens the bank to the attack by scripts coming from mydomain.com
CORS does not protect the app.
The Same Origin Policy protects the app by preventing other sites from using a logged in user's browser to read data from it.
CORS allows the server to give other sites permission to read that data (for when the information needs to be shared). i.e. CORS is how you say "Do not apply the Same Origin Policy here".
Now, if I am attacking I would add my script and in my server I would set the CORS policy to allow those requests.
No. The server hosting the data has to set CORS headers. You can't give your own script permission to read data from someone else's site.
XSS is an unrelated category of security vulnerabilities. CORS and the Same Origin Policy have nothing to do with them.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With