Insecure Cross-Origin Resource Sharing (CORS) policy

Insecure Cross-Origin Resource Sharing (CORS) policy

Risk: medium

Description

Cross-Origin Resource Sharing (CORS) uses HTTP headers to let a web client gain access to resources from a server on a different domain. Browsers restrict cross-origin HTTP requests initiated from within scripts for security purposes.

If the policy allows another domain, then that domain can attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can retrieve content from the application, and carry out actions within the security context of the logged-in user.

Recommendation

CORS is an appropriate choice for cross-domain sharing; access must be, however, restricted to authorized domains only, particularly if Access-Control-Allow-Credentials is enabled.

All unauthorized domains must be restricted in addition to domains that allow running untrusted code like jsfiddle.com.

Links

• Cross-Origin Resource Sharing (Mozilla Developer)