Sharing resources using credentials and “essentially” any source

Question

Sharing resources using credentials and “essentially” any source

In step 3 of the W3C Cross Origin Resource Sharing recommendations ( http://www.w3.org/TR/cors/#resource-requests ) it says:

If the resource supports credentials, add one Access-Control-Allow-Origin Header with an Origin value as the value for the header and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as the value.
Otherwise, add a single Access-Control-Allow-Origin header, using either the value of the Origin header or the string "*" as the value.
The string "*" cannot be used for a resource that supports Credentials.

This is reflected in the code as follows:

if (policy.AllowAnyOrigin)
{
    if (policy.SupportsCredentials)
    {
        result.AllowedOrigin = origin;
        result.VaryByOrigin = true;
    }
    else
    {
        result.AllowedOrigin = CorsConstants.AnyOrigin;
    }
}
else if (policy.Origins.Contains(origin))
{
    result.AllowedOrigin = origin;
}

https://github.com/aspnet/CORS/blob/release/src/Microsoft.AspNet.Cors/CorsService.cs#L219

My question is, how is it generally safe? What is the browser * failure point in permitted sources, when credentials are allowed, if the server is instructed only to bypass the restriction?

+4

w3c cors web

Abjones Dec 04 '15 at 2:36

source share

1 answer

Nickolay · Answer 1 · 2016-04-03T19:49:01+0000

A comment from @ BrainSlugs83 seems to answer the question, so I copy it here:

It's not safe! - it essentially makes the C # version of the "workaround" posted here: fooobar.com/questions/7655 / ...
This code violates the purpose of the CORS restriction.

Sharing resources using credentials and “essentially” any source

More articles: