Insecure Cross-Origin Resource Sharing (CORS) policy
Insecure Cross-Origin Resource Sharing (CORS) policy
Description
Cross-Origin Resource Sharing (CORS) uses HTTP headers to let a web client gain access to resources from a server on a different domain. Browsers restrict cross-origin HTTP requests initiated from within scripts for security purposes.
If the policy allows another domain, then that domain can attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can retrieve content from the application, and carry out actions within the security context of the logged-in user.
Recommendation
CORS
is an appropriate choice for cross-domain sharing; access must be, however, restricted to authorized domains only,
particularly if Access-Control-Allow-Credentials
is enabled.
All unauthorized domains must be restricted in addition to domains that allow running untrusted code
like jsfiddle.com
.