Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is CORS a secure way to do cross-domain AJAX requests?

Tags:

javascript

ajax

cors

cross-domain

After reading about CORS (Cross-Origin Resource Sharing), I don't understand how it improves security. Cross-Domain AJAX communication is allowed if the correct ORIGIN header is sent. As an example, if I send

ORIGIN: http://example.com

The server checks if this domain is in the white list and, if it is, header:

Access-Control-Allow-Origin: [received url here]

is sent back, together with the response (This is the simple case, there are also prefighted requests, but the question is the same).

Is this really secure? If someone wants to receive the information, faking an ORIGIN headers seems like a really trivial task. Also the standard says that the policy is enforced in the browser, blocking the response if Access-Control-Allow-Origin is not correct. Obviously if anyone is trying to get that info, he will not use a standard browser to block it.

like image 438
Gibarian2001 Avatar asked Jan 31 '11 12:01

Gibarian2001

People also ask

Is CORS actually secure?

If implemented badly, CORS can lead to major security risk like leaking of API keys, other users data or even much more. A very great example of security risk of CORS misconfiguration is this.

Does ajax need CORS?

The server must support CORS and indicate that the domain of the client making the request is permitted to do so. The beauty of this mechanism is that it is automatically handled by the browser and web application developers do not need to concern themselves with its details.

Can you do cross-domain ajax?

Browser does not allow cross domain AJAX requests due to security issues. Cross-domain requests are allowed only if the server specifies same origin security policy. To enable CORS, You need to specify below HTTP headers in the server. Access-Control-Allow-Origin – Name of the domain allowed for cross domain requests.

Why is cross-domain not allowed in ajax?

Because of Same origin policy. The same-origin policy exists to prevent malicious use of resources. If there were no rules governing cross-domain script access, it would be trivial to wreak all manner of havoc on unsuspecting users.

1 Answers

The purpose is to prevent this -

  • You go to website X
  • The author of website X has written an evil script which gets sent to your browser
  • that script running on your browser logs onto your bank website and does evil stuff and because it's running as you in your browser it has permission to do so.

The ideas is that your bank's website needs some way to tell your browser if scripts on website X should be trusted to access pages at your bank.

like image 72
jcoder Avatar answered Sep 23 '22 13:09

jcoder
Sign in to Comment

Related questions

CONVERT Image url to Base64
MSIE and addEventListener Problem in Javascript?
Verify External Script Is Loaded
How to sort an associative array by its values in Javascript?
Calling a JSON API with Node.js
Destroy or remove a view in Backbone.js
How to submit a form when the return key is pressed?
Alternative version for Object.values()
Angular 2 HostListener keypress detect escape key?
How do you handle a form change in jQuery?
'TypeError: is not a function' in Node.js
How to draw an oval in html5 canvas?
how to set font size based on container size? [duplicate]
Setting id and className dynamically in Backbone.js views
Sorting options elements alphabetically using jQuery
add commas to a number in jQuery
Is it possible to upload a simple html and javascript file structure to heroku?
How to convert from Hex to ASCII in JavaScript?
Adding extra zeros in front of a number using jQuery?
Dynamically create and submit form

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!