Full Disclosure mailing list archives
Re: Pros and cons of 'Access-Control-Allow-Origin' header?
From: Michele Orru <antisnatchor () gmail com>
Date: Wed, 22 Feb 2012 20:58:02 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Take a look at http://beefproject.com internals. We're using that header. Actually it depends how do you use it. It's like crossdomain.xml: you can use a wildcard or not, it's up to you. Cheers antisnatchor David Blanc wrote:
Does 'Access-Control-Allow-Origin' header provide any benefits in defending against cross site scripting attacks? Doesn't 'Access-Control-Allow-Origin' header make any XSS flaw trivially exploitable? For example, if an attacker finds an XSS flaw in a web application, he can now inject a JavaScript with XMLHttpRequest that sends a request to attacker's web server which serves resources with the HTTP header "Access-Control-Allow-Origin: *". The browser would see this header and fetch the resource from the attacker's web server. Isn't the web a safer place without this header? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPRUjKAAoJEBgl8Z+oSxe4Gn8H+wTu5HqCgm5md7jZOghFV0c0 TSgTakNd05x60raj1wNeCXjqE2mqHDvECjJIezlzlDgAx3q2TpagUlzR2iIICc6Y 25N9CCIkvb6WPqBl3Ee/NYkXPgKb6GDNGzdzNGZtrzZZrvOP3Dy6MCvw6RxwjcWo DtAzvHd4tAktRMfOpE61ICwyXOl5dCER4a/ai3DolN7O5xJvv0SsB3qgBF+4++pJ XhuQC9WA3j9994k9n9x4NGqJBZUE7vvfTIZR3T85BgcY8YiJgOHTmarMF7Fb6kHB mSLEVLWE1bY3aMKN7+SPjnkS7LZeCoMnhmXEQ2jcWCPUBQpv/hzjq6hgduOSoes= =xNpJ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Pros and cons of 'Access-Control-Allow-Origin' header? David Blanc (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michele Orru (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? David Blanc (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michal Zalewski (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michele Orru (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michele Orru (Feb 22)