Full Disclosure mailing list archives

Re: Pros and cons of 'Access-Control-Allow-Origin' header?

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 22 Feb 2012 12:54:42 -0800

Does 'Access-Control-Allow-Origin' header provide any benefits in
defending against cross site scripting attacks?


No. It's a mechanism to control cross-origin XMLHttpRequests (and some
other peripheral things), and adding it does not reduce the likelihood
or exploitability of XSS bugs.

If you use it incorrectly, you may end up removing most of the
security assurances provided by the same-origin policy, but that's a
separate topic.

Doesn't 'Access-Control-Allow-Origin' header make any XSS flaw
trivially exploitable? For example, if an attacker finds an XSS flaw
in a web application, he can now inject a JavaScript with
XMLHttpRequest that sends a request to attacker's web server which
serves resources with the HTTP header "Access-Control-Allow-Origin:
*". The browser would see this header and fetch the resource from the
attacker's web server.


If you have an XSS vulnerability, there are many simpler ways to relay
data to an attacker-controlled site without the need to use CORS.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Pros and cons of 'Access-Control-Allow-Origin' header? David Blanc (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michele Orru (Feb 22)
  - Re: Pros and cons of 'Access-Control-Allow-Origin' header? David Blanc (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michal Zalewski (Feb 22)
  - Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michele Orru (Feb 22)