Book Excerpt: The Tangled Web: A Guide to Securing Modern Web Applications
By Michal Zalewski
January 17, 2012 —
(Page 3 of 6)
Related Search Term(s): The Tangled Web: A Guide to Securing Modern Web Applications
Security Checks for Simple Requests
The CORS specification allows simple requests to be submitted to the destination server immediately, without attempting to confirm whether the destination is willing to engage in cross-domain communications to begin with. This decision is based on the fact that the attacker may initiate fairly similar cookie-authenticated traffic by other means (for example, by automatically submitting a form) and, therefore, that there is no point in introducing an additional handshake specifically for CORS.
The crucial security check is carried out only after the response is retrieved from the server: The data is revealed to the caller through the XMLHttpRequest API only if the response includes a suitable, well-formed Access-Control-Allow-Origin header. To assist the server, the original request will include a mandatory Origin header, specifying the origin associated with the calling script.
To illustrate this behavior, consider the following cross-domain XMLHttpRequest call performed from http://www.bunnyoutlet.com/:
var x = XMLHttpRequest();
x.open('GET', 'http://fuzzybunnies.com/get_message.php?id=42', false);
The result will be an HTTP request that looks roughly like this:
GET /get_message.php?id=42 HTTP/1.0
To indicate that the response should be readable across domains, the server needs to respond with
HTTP/1.0 200 OK
The secret message is: "It's a cold day for pontooning."
NOTE: It is possible to use a wildcard (“*”) in Access-Control-Allow-Origin, but do so with care. It is certainly unwise to indiscriminately set Access-Control-Allow-Origin: * on all HTTP responses, because this step largely eliminates any assurances of the same-origin policy in CORS-compliant browsers.