CORS – Is It a Secure Way for Cross-Domain AJAX Requests?

ajaxcorscross-domainjavascript

After reading about CORS (Cross-Origin Resource Sharing), I don't understand how it improves security. Cross-Domain AJAX communication is allowed if the correct ORIGIN header is sent. As an example, if I send

ORIGIN: http://example.com

The server checks if this domain is in the white list and, if it is, header:

Access-Control-Allow-Origin: [received url here]

is sent back, together with the response (This is the simple case, there are also prefighted requests, but the question is the same).

Is this really secure? If someone wants to receive the information, faking an ORIGIN headers seems like a really trivial task. Also the standard says that the policy is enforced in the browser, blocking the response if Access-Control-Allow-Origin is not correct. Obviously if anyone is trying to get that info, he will not use a standard browser to block it.

Best Answer

The purpose is to prevent this -

You go to website X
The author of website X has written an evil script which gets sent to your browser
that script running on your browser logs onto your bank website and does evil stuff and because it's running as you in your browser it has permission to do so.

The ideas is that your bank's website needs some way to tell your browser if scripts on website X should be trusted to access pages at your bank.

Related Solutions

JavaScript CORS – How to Make Cross-Domain AJAX Requests

Jetty filter:

<web-app>
 <filter>
   <filter-name>cross-origin</filter-name>
   <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
   <init-param>
       <param-name>allowedOrigins</param-name>
       <param-value>*</param-value>
   </init-param>
   <init-param>
       <param-name>allowedMethods</param-name>
       <param-value>*</param-value>
   </init-param>
   <init-param>
       <param-name>allowedHeaders</param-name>
       <param-value>*</param-value>
   </init-param>
 </filter>
 <filter-mapping>
     <filter-name>cross-origin</filter-name>
     <filter-pattern>*</filter-pattern>
 </filter-mapping>
</web-app>

JavaScript AJAX CORS – Understanding Security Considerations

As I learned from this post, when page from www.a.com makes AJAX request to www.b.com, then it's the www.b.com that decides if request should be allowed or not.

Not quite. The request isn't blocked (at least, if it is simple).

By default the JavaScript running on www.a.com is forbidden access to the response from www.b.com.

CORS provides a means by which www.b.com can give permission to the JavaScript on www.a.com to access the response.

But what is exactly secured on client in such model?

It stops the author of www.a.com from reading data from www.b.com using the browser of a User who has visited both sites and has been authenticated on www.b.com (and thus has access to data that isn't public).

For example, Alice is logged into Google. Alice visits malicious.example which uses XMLHttpRequest to access data from gmail.com. Alice has a GMail account so the response has a list of the most recent email in her inbox. The same origin policy prevents malicious.example from reading it.

For example, hacker success to make XSS script injection to my page, then it makes AJAX request to his domain to store user data. So hackers domain will allow such request for sure.

Correct. XSS is a different security problem that needs to be addressed at source (i.e. at www.a.com and not in the browser).

Best Answer

Related Solutions

JavaScript CORS – How to Make Cross-Domain AJAX Requests

JavaScript AJAX CORS – Understanding Security Considerations

Related Question