Is it safe to use "Access-Control-Allow-Origin: *" setting on the server and use session based cookies at the same time?

Question

I want to allow client applications to make cross domain JSON requests to a central data server. The clients and server will be on different domains.

To get around the "Origin null is not allowed by Access-Control-Allow-Origin." error, I have the server set a:

Access-Control-Allow-Origin: *

header.

I see here (http://www.w3.org/wiki/CORS_Enabled) that cross domain should only be used for "public data which doesn't require cookie or session based authentication".

Is is not safe to use session/cookie based authentication when using the Access-Control-Allow-Origin: * header? If not why?

Thank you.

Answer 1

Having a CORS ruleset of Access-Control-Allow-Origin: * isn't a full Same-origin policy bypass, and is probably safe.

Having this header set on every page allows for unauthenticated resource-requests. Authentication cookies are not implicitly included with these requests, so a cross-site XHR couldn't be used to lets say; read your email, or read CSRF tokens on a remote domain - because these requests would require a cookie or a bearer token.