Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Possible security issues of setting Access-Control-Allow-Origin

Tags:

javascript

ajax

xmlhttprequest

iis

apache

I see that setting "*" wildcard is security risk i.e.

Access-Control-Allow-Origin: "*"

What i would liked to know are there any security risk in setting of concrete domain i.e.

Access-Control-Allow-Origin: http://www.example.com
like image 273
Vladimir Bozic Avatar asked Feb 20 '13 11:02

Vladimir Bozic

People also ask

Is it safe to Access-Control allow origin?

Access-Control-Allow-Origin: * is totally safe to add to any resource, unless that resource contains private data protected by something other than standard credentials. Standard credentials are cookies, HTTP basic auth, and TLS client certificates.

Why is CORS a security issue?

Common vulnerabilities Because CORS is an access control mechanism, it can be misconfigured, thereby enabling an attacker to bypass it and make the client browser act as a proxy between a malicious website and the target web application.

What does Access-Control allow origin do?

The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin.

How do I fix Access-Control allow Origin error?

Run the following command to confirm the origin server returns the Access-Control-Allow-Origin header. Replace example.com with the required origin header. Replace https://www.example.net/video/call/System.generateId.dwr with the URL of the resource that's returning the header error.

1 Answers

CORS headers are typically used for JavaScript AJAX request. Browsers have a built-in safety mechanism that doesn't allow you to query other domains unless they explicitly allow it by setting these CORS headers.

There isn't much of a security risk really. You can always send malicious requests anyway. Browsers just collectively decide to play nice.

One thing to be aware of is that you don't necessarily always want to send the

Access-Control-Allow-Origin: http://www.example.com

header. This could potentially lead people to all the domains that make use of your API. My recommendation is that you only emit the header if it is necessary, ie. you get an OPTIONS request from a whitelisted domain.

I wrote a blog post about this recently: http://fritsvancampen.wordpress.com/2013/02/03/cross-site-origin-requests-aka-cross-origin-resource-sharing/

like image 150
Halcyon Avatar answered Sep 23 '22 19:09

Halcyon
Sign in to Comment

Related questions

ASP.NET bundle does not work when deployed (debug="false")
Read JS variable in C# / Forwarding JS variable to visual studio performance test?
how to deal with quotes in bookmarklets
regex - How do I exclude "%" and "_"?
How can I check that a key has been pressed?
JavaScript Parser and Analyzer in C# .NET 4.5
Use Bing Maps tiles with Leaflet
How can I add text as a jqplot canvasOverlay?
Open ppt file in a new browser tab
How to synchronize a GitHub repository and multiple Gists
JavaScript multiple inheritance and instanceof [duplicate]
Clone CSS class
Can the OS as well as javascript/HTML5 access localstorage?
css3pie messes up DOM, results in jQuery selector errors
Firebug showing infinite recursion for constructor
XMLHttpRequest cannot load Origin is not allowed by Access-Control-Allow-Origin
How to choose the right javascript framework and how to get started? [closed]
Kendo UI - Why can't I open and close properly a window?
Holder.js -- Get back DOM element?
Using Json to add markers to Google Maps | API

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!