I am trying to understand why CORS is working in way that it works.
As I learned from this post, when page from www.a.com makes AJAX request to www.b.com, then it's the www.b.com that decides if request should be allowed or not.
But what is exactly secured on client in such model?
For example, if a hacker succeeds to make an XSS script injection to my page, then it makes an AJAX request to his domain to store user data. So a hacker's domain will allow such a request for sure.
I thought that www.a.com should decide to which domains to allow the request to. So in theory within a header Access-Control-Allow-Origin I would like to put the whole list of the domains that are allowed for AJAX CORS requests.
Can someone explain what security problems the current CORS implementation handles?
Best Answer
Not quite. The request isn't blocked (at least, if it is simple).
By default the JavaScript running on
www.a.com
is forbidden access to the response fromwww.b.com
.CORS provides a means by which
www.b.com
can give permission to the JavaScript onwww.a.com
to access the response.It stops the author of
www.a.com
from reading data fromwww.b.com
using the browser of a User who has visited both sites and has been authenticated onwww.b.com
(and thus has access to data that isn't public).For example, Alice is logged into Google. Alice visits
malicious.example
which uses XMLHttpRequest to access data fromgmail.com
. Alice has a GMail account so the response has a list of the most recent email in her inbox. The same origin policy preventsmalicious.example
from reading it.Correct. XSS is a different security problem that needs to be addressed at source (i.e. at
www.a.com
and not in the browser).