40

CORS is the most annoying shit ever seen...

Comments
  • 4
  • 5
    Nah. It's amazing.
  • 2
    The thing is, it adds no value. The whole thing can be circumvented with a proxy which can be hosted on DigitalOcean for pocket money with decent anonymity if you use a VPN (which attackers do).
  • 14
    When you understand it properly you will also know how to handle it properly. CORS is not a bug and If it seems to be a pain in the ass it shows that you have hole in your knowledge that you need to fill out
  • 3
    Imagine a case where your bank had a resource you could POST to, if authenticated, to transfer funds to another account. Say "POST /transfer accountNum=1234&sortcode=112233&bankCode=12345&amount=1000000" for instance. Now imagine you could make that POST to your bank's domain from any other site (so no CORS.)

    All I then have to do to steal all your money is persuade you to log into your bank via some social engineering attempt, and then give you a link to a site that makes that request in the background through AJAX. Without CORS your browser neither knows nor cares what site that request is coming from, it just fires it off - and as far as the bank's server is concerned, you're authenticated. Money gone.

    Alternatively I just try to put the above code on some viral site, and then spam it to the masses. Even if only 0.001% are logged in, it's enough to make me a lot of money.

    Obviously most banks are far more secure in the real world, but plenty of other sites aren't.
  • 5
    ...addendum, but this is why it's not just "thwarted" by going through a proxy, since the proxy won't be authenticated as your browser is, so the request won't work.

    There are other measures that the calling site can put in place to mitigate such attacks from their side of course (random CSRF parameters for instance - CSRF is a related area.) But CORS is definitely an important and necessary piece of security to stop a few cases of nasty attacks. A PITA, yes, but a necessary one.
  • 2
    @ answer to everyone, not gonna tag

    Very cool from a security standpoint, except when you dont really want security and * for some reason doesnt work and you spend hours looking up cors shit for your 30 line python cock drawing website
  • 1
    @Lor-inc This is AFAIK not true.
    Yes, you can successfully hack yourself with it (what an achievement), but only others if you trick other people to use your proxy service (and do e.g. SSL stripping).
  • 0
    @rutee07
  • 0
    @AlmondSauce It's redundant, CSRF fixes every issue CORS would.
  • 0
    @sbiewald I could imagine a world where security is handled the simplest and most predictable possible way, and it's not up to browsers and http to solve every problem to ever emerge, thus making it impossible to cherry pick features. That is, XSRF tokens, in this case.
  • 1
    @tague CORS and CSRF tokens still solve the same issue, cross-site request forgery. And of the two, tokens are more predictable and don't require extra rules to be put in place. Manually adding a session key header to every request _without_ involving browser features has the same effect.

    And the fundamental problem is the cookie system that represents user intent and identity but also works when a third party sends an ajax, so I would also consider just not using it altogether.
  • 6
    CORS won't stop you from _doing_ POST requests (or PUT, or DELETE, or GET, ...). It will stop you from _seeing_ the response to such requests. This is why CSRF is still needed.

    CORS and CSRF are not competing, they take care of different problems.
  • 1
    Just wait for the new default SameSite behaviour... That will kill a few perfectly working solutions...
  • 0
    Wait until you hear about iframes...
  • 1
  • 0
    Firefox lets you debug locally without annoying CORS obstacles.
Add Comment