CORS
Cross-origin resource sharing (CORS)
Cross-origin resource sharing (CORS) is a mechanism for integrating applications. CORS defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. This is useful because complex applications often reference third-party APIs and resources in their client-side code.
Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. It extends and adds flexibility to the same-origin policy (SOP). However, it also provides potential for cross-domain attacks, if a website’s CORS policy is poorly configured and implemented. CORS is not a protection against cross-origin attacks such as cross-site request forgery (CSRF).
https://portswigger.net/web-security/csrf
Same-origin policy
Today, browsers enforce that clients can only send requests to a resource with the same origin as the client’s URL. The protocol, port, and hostname of the client’s URL should all match the server it requests.
The same-origin policy is a restrictive cross-origin specification that limits the ability for a website to interact with resources outside of the source domain. The same-origin policy was defined many years ago in response to potentially malicious cross-domain interactions, such as one website stealing private data from another. It generally allows a domain to issue requests to other domains, but not to access the responses.
https://portswigger.net/web-security/cors/same-origin-policy
Relaxation of the same-origin policy
The same-origin policy is very restrictive and consequently various approaches have been devised to circumvent the constraints. Many websites interact with subdomains or third-party sites in a way that requires full cross-origin access. A controlled relaxation of the same-origin policy is possible using cross-origin resource sharing (CORS).
The cross-origin resource sharing protocol uses a suite of HTTP headers that define trusted web origins and associated properties such as whether authenticated access is permitted. These are combined in a header exchange between a browser and the cross-origin web site that it is trying to access.
How does cross-origin resource sharing work?
In standard internet communication, your browser sends an HTTP request to the application server, receives data as an HTTP response, and displays it. In browser terminology, the current browser URL is called the current origin and the third-party URL is cross-origin.
When you make a cross-origin request, this is the request-response process:
- The browser adds an origin header to the request with information about the current origin’s protocol, host, and port
- The server checks the current origin header and responds with the requested data and an Access-Control-Allow-Origin header
- The browser sees the access control request headers and shares the returned data with the client application
Alternatively, if the server doesn’t want to allow cross-origin access, it responds with an error message.
Cross-origin resource sharing example
For example, consider a site called https://news.example.com. This site wants to access resources from an API at partner-api.com.
Developers at https://partner-api.com first configure the cross-origin resource sharing (CORS) headers on their server by adding new.example.com to the allowed origins list. They do this by adding the below line to their server configuration file.
example from the POC
Access-Control-Allow-Origin: https://news.example.com
Once CORS access is configured, news.example.com can request resources from partner-api.com. For every request, partner-api.com will respond with Access-Control-Allow-Credentials : “true.” The browser then knows the communication is authorized and permits cross-origin access.
If you want grant access to multiple origins, use a comma-separated list or wildcard characters like * that grant access to everyone.
Reading material
https://github.com/explorer436/programming-playground/tree/main/CORS
- https://aws.amazon.com/what-is/cross-origin-resource-sharing/ (very good explanation)
- https://portswigger.net/web-security/cors (very good explanation)
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://spring.io/guides/gs/rest-service-cors/
- https://spring.io/blog/2015/06/08/cors-support-in-spring-framework