CORS Security Debates
Discussions center on the purpose, limitations, and misconceptions of CORS in relation to the Same-Origin Policy, browser security, and preventing cross-origin attacks like XSS or CSRF.
Activity Over Time
Top Contributors
Keywords
Sample Comments
You two have this entirely backwards. It’s the Same-Origin Policy that is stopping you from doing what you want. CORS is a way of loosening up the security to make more things possible. CORS doesn’t – and can’t – stop you from accessing anything. If you “disable CORS” in your browser, guess what? You’re going to be able to access less stuff.
Isn't CORS supposed to prevent this?
But CORS is strict by default. They must specially add headers to allow such requests.
CORS does not protect the website at all…
No, CORS doesn't apply here. CORS regulates cross-origin requests, but the attack here makes the browser think the requests are same-origin.(Also, CORS can only be used to permit access that would normally be denied. CORS does not offer any way to deny access that is normally permitted.)
This also sneaks past CORS. I'm thinking _that's_ a problem.
CORS cannot be defeated, because it does not protect
wouldn't that be stopped by CORS blocking which is pretty much the norm for large websites?
It's an interesting feature, but remember that CORS exists for a reason; this can also lead to a delightful variety of custom CSRF attacks etc. ;)
You're correct, the browser is the safety net when it comes to CORS.