JavaScript AJAX CORS – Understanding Security Considerations

ajaxcorscross-domainjavascript

I am trying to understand why CORS is working in way that it works.

As I learned from this post, when page from www.a.com makes AJAX request to www.b.com, then it's the www.b.com that decides if request should be allowed or not.

But what is exactly secured on client in such model?
For example, if a hacker succeeds to make an XSS script injection to my page, then it makes an AJAX request to his domain to store user data. So a hacker's domain will allow such a request for sure.

I thought that www.a.com should decide to which domains to allow the request to. So in theory within a header Access-Control-Allow-Origin I would like to put the whole list of the domains that are allowed for AJAX CORS requests.

Can someone explain what security problems the current CORS implementation handles?

Best Answer

As I learned from this post, when page from www.a.com makes AJAX request to www.b.com, then it's the www.b.com that decides if request should be allowed or not.

Not quite. The request isn't blocked (at least, if it is simple).

By default the JavaScript running on www.a.com is forbidden access to the response from www.b.com.

CORS provides a means by which www.b.com can give permission to the JavaScript on www.a.com to access the response.

But what is exactly secured on client in such model?

It stops the author of www.a.com from reading data from www.b.com using the browser of a User who has visited both sites and has been authenticated on www.b.com (and thus has access to data that isn't public).

For example, Alice is logged into Google. Alice visits malicious.example which uses XMLHttpRequest to access data from gmail.com. Alice has a GMail account so the response has a list of the most recent email in her inbox. The same origin policy prevents malicious.example from reading it.

For example, hacker success to make XSS script injection to my page, then it makes AJAX request to his domain to store user data. So hackers domain will allow such request for sure.

Correct. XSS is a different security problem that needs to be addressed at source (i.e. at www.a.com and not in the browser).

Related Solutions

CORS – Is It a Secure Way for Cross-Domain AJAX Requests?

The purpose is to prevent this -

You go to website X
The author of website X has written an evil script which gets sent to your browser
that script running on your browser logs onto your bank website and does evil stuff and because it's running as you in your browser it has permission to do so.

The ideas is that your bank's website needs some way to tell your browser if scripts on website X should be trusted to access pages at your bank.

CORS – When is it Safe to Enable?

In answer to your second question (If a CORS enabled server sets a session_token through a cookie...?), the cookie is saved under the domain of the CORS server. The main web page's JS code can't access the cookie, even via document.cookie. The cookie is only sent to the server when the .withCredentials property is set, and even then, it is only accepted when the server sets the Access-Control-Allow-Credentials header.

Your first question is a little more open ended. It is fairly secure, but there are ways to circumvent things. For example, an attacker could use a DNS poisoning technique to cause a preflight request to hit the actual server, but send the actual CORS request to the rogue server. Here are some more resources on CORS security:

Lastly, your concern is around giving any website access to your CORS data. In order to protect against this, you should not use the Access-Control-Allow-Origin: * header. Instead, you should echo back the user's Origin value. For example:

Access-Control-Allow-Origin: http://www.example.com

This header will allow only http://www.example.com to access the response data.

Best Answer

Related Solutions

CORS – Is It a Secure Way for Cross-Domain AJAX Requests?

CORS – When is it Safe to Enable?

Related Question