All geek questions in one place

Confusion over how Cross Resource Resource Sharing (CORS) works

From what I understand about CORS, here's how it works: I have a site foo.com that serves page X. X wants to send data to another bar.com domain. If bar.com is enabled by CORS (its headers create Access-Control-Allow-Origin foo.com), then page X can now send data to bar.com.

As I understand it, CORS worked on setting up bar.com and had nothing to do with foo.com. It's all about the fact that bar.com does not accept requests from any old domain.

However this one really doesn't make sense to me. I thought CORS was designed to let foo.com dictate who X is allowed to talk to. If we go back to the previous example, but this time X is compromised by a dodgy script to secretly send data to evil.com, how is CORS going to stop it? evil.com is enabled by CORS and set to *, so it will accept requests from anything. Thus, a user who thinks they are using the site foo.com unwittingly sends data to evil.com.

If this is really all about barbecue protecting yourself, then why does this make the browser an enforcement policy? The only possible situation where this makes sense is if you have evil.com serving the Y page, which represents foo.com, which is trying to send data to bar.com. But CORS works in a browser, all you have to do is make evil.com a proxy server that sends fake origin requests to bar.com (data goes from Y to evil.com, evil.com sets its fake origin to foo .com then sends it to bar.com).

It only makes sense to me if it works the other way around. foo.com is enabled by CORS, and its headers are set to Access-Control-Allow-Origin bar.com. Thus, rosy scripts will be denied evil.com access in the browser. Then it makes sense for the browser to enforce the policy, because it runs scripts that can be run. It will not stop Blush sites from trying to send rouge data to bar.com, but bar.com can protect itself with a username / password. If foo.com has endpoints that expect data from X, you can insert tokens in X so that evil.com does not send them data.

It seems to me that I do not understand the fundamental importance here. It would be very helpful to help.

+5
source share
2 answers

However, this really does not make sense to me. I thought CORS was designed to let foo.com dictate who X is allowed to talk to.

No, it's about bar.com , controlling the use of its contents.

But CORS acts in a browser, all you have to do is make evil.com a proxy server that sends fake origin requests to bar.com ...

Yeah. And if you do, and people on bar.com notice and care, they will block requests from your server. You move it, they forbid a new one. Strike time. But painful, like this whack-a-mole game, is much less painful than if requests come directly from each individual user foo.com from their desktop.

Having foo.com to provide what foo.com can do makes no sense. foo.com already applies what foo.com can do because it is foo.com, which serves foo.com content and scripts.

+3
source

This is not about Foo.com, nor about Bar.com. It's about the user.

There are two things that CORS protects. The first is access to resources behind the firewall. The second is resources that are usually protected if the request is not sent from browsers with authentication or other sensitive data files.

CORS is a server-side browser technology that allows foo to restrict the freedom to call outside your domain. This is a limited hole, punched in the restriction of cross-domain scripts.

Anyone can fake the ORIGIN header and create a CORS preview or a simple request. Of course, anyone can connect directly to the Bar server directly and make requests without using CORS. Any browser can directly connect to bar.com and receive data. But a modern browser does not run a script from foo.com that accesses the bar.com resource. People visiting websites are protected from visiting a site intended for the use of cookies, or the fact that the browser is behind a corporate firewall.

So the accepted answer is WRONG. It is not about bar.com protecting its resources - it does this through authentication and authorization. You do not need to create a proxy to send CORS requests - you create a proxy server to deprive CORS requests (automatically respond to the pre-flight mail request and return the appropriate headers to the browser, but by sending a normal request to the bar. Com). But you still need authentication to get the bar.com resources, and foo.com must still somehow force you to set up a proxy server in order to use the script-through hole that CORS protects.

But the final sentence is correct - foo.com does not control resources - it is a browser, with a quick check on bar.com to ask him if it was something that was intended.

From OP:

If this is really all about protecting bar.com, then why force a browser to enforce policy ?. The only possible situation in which this makes sense is if you have evil.com serving the Y page, which represents foo.com, which is trying to send data to bar.com. But CORS is browser-activated, all you have to do is make evil.com a proxy that sends fake origin requests to bar.com (data goes from Y to evil.com, evil.com sets its fake origin to foo.com and then sends it to bar.com).

evil.com can already contact bar.com - just like any person using a browser can (either curl or wget, etc.). The problem is that evil.com forces your browser to connect to bar.com, which may have IP filters, cookies, firewalls, etc., protecting it, but javascript can connect to your browser. Thus, the browser is what protects the user. Prohibition of cross-domain scripts. But sometimes it’s useful (for example: google apis or a bank connecting to a payment service, etc.) For a cross domain script. CORS tells the browser that everything is fine in this case.

This does not mean that there are no holes, or the standard is the best, or that there are no holes in the browser, or that sites are too permissive. But these are different questions ...

+2
source

Source: https://habr.com/ru/post/1209619/

More articles:


All Articles