Insecure Cross-Origin Resource Sharing (CORS) policy
Insecure Cross-Origin Resource Sharing (CORS) policy
Description
Cross-Origin Resource Sharing (CORS) uses HTTP headers to let a web client gain access to resources from a server on a different domain. Browsers restrict cross-origin HTTP requests initiated from within scripts for security purposes.
If the policy allows another domain, then that domain can attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can retrieve content from the application, and carry out actions within the security context of the logged-in user.
Recommendation
CORS is an appropriate choice for cross-domain sharing; access must be, however, restricted to authorized domains
only, particularly if Access-Control-Allow-Credentials is enabled.
All unauthorized domains must be restricted in addition to domains that allow running untrusted code
like jsfiddle.com.
Links
Standards
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- REQ_6_3
- REQ_7_3
- REQ_8_3
- REQ_11_3