Security concerns about CORS

Question

I've just learned about CORS, basically because I didn't need it until now.

I've read that CORS enables cross-site origin, by sending HTTP headers with the AJAX call, so the other server can evaluate the request is coming from an approved site.

Now my main concern is, can't the HTTP headers be spoofed? For example, can't an attacker curl a request to the other server, sending the exact HTTP headers that my CORS request does? In that case, the server will accept the request, and the attacker will retrieve any sensitive data the server will send him.

We all know how easy it is to retrieve javascript from a page, so everything I send with CORS can easilly be seen by keen eyes. HTTP headers included.

So, I guess sensitive information should never be shared within a CORS communication... Or did I get this everything wrong? Please shed some light! :) Thanks

Answer 1

Now my main concern is, can't the HTTP headers be spoofed? For example, can't an attacker curl a request to the other server, sending the exact HTTP headers that my CORS request does?

You have two misconceptions here.

1. CORS headers are sent by the server not the client (although sometimes a client will make a pre-flight OPTIONS request)
2. What the Same Origin Policy is defending against

The Same Origin Policy exists to stop Mallory's (evil) website from getting data from Bob's website by asking Alice's browser to request it when Alice visits Mallory's website.

If that was possible, then Mallory could get any information that was supposed to be a shared secret between Alice and Bob (such as Alice's account balance on Bob's banking website).

can't an attacker curl a request to the other server, sending the exact HTTP headers that my CORS request does?

Since Mallory has no way of knowing what security credentials need to be included in the request (because, for instance, they are stored in Alice's cookies for Bob's website): No.

But CORS doesn't matter here, but the Same Origin Policy isn't implemented by cURL since it isn't a browser running JavaScript supplied by arbitrary websites.

I guess sensitive information should never be shared within a CORS communication

It depends on the nature of the information.

If Alice and whatever websites you authorise in the CORS headers are allowed to see it, then it is fine to send it (although you should probably use SSL): So long as you have authenticated Alice's identity.

If only Alice and you site should see it, then don't put CORS headers on it (and don't provide any other way to bypass the Same Origin Policy, such as JSON-P).

If Alice shouldn't see it, then you should never send it to Alice's browser, CORS or no CORS.