Full Disclosure mailing list archives
Pros and cons of 'Access-Control-Allow-Origin' header?
From: David Blanc <davidblanc1975 () gmail com>
Date: Thu, 23 Feb 2012 00:07:08 +0530
Does 'Access-Control-Allow-Origin' header provide any benefits in defending against cross site scripting attacks? Doesn't 'Access-Control-Allow-Origin' header make any XSS flaw trivially exploitable? For example, if an attacker finds an XSS flaw in a web application, he can now inject a JavaScript with XMLHttpRequest that sends a request to attacker's web server which serves resources with the HTTP header "Access-Control-Allow-Origin: *". The browser would see this header and fetch the resource from the attacker's web server. Isn't the web a safer place without this header? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Pros and cons of 'Access-Control-Allow-Origin' header? David Blanc (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michele Orru (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? David Blanc (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michal Zalewski (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michele Orru (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michele Orru (Feb 22)