Is CORS a secure way to do cross-domain AJAX requests?

javascript ajax cross-domain cors
Gibarian2001 picture Gibarian2001 · Jan 31, 2011 · Viewed 25.8k times · Source

After reading about CORS (Cross-Origin Resource Sharing), I don't understand how it improves security. Cross-Domain AJAX communication is allowed if the correct ORIGIN header is sent. As an example, if I send

ORIGIN: http://example.com

The server checks if this domain is in the white list and, if it is, header:

Access-Control-Allow-Origin: [received url here]

is sent back, together with the response (This is the simple case, there are also prefighted requests, but the question is the same).

Is this really secure? If someone wants to receive the information, faking an ORIGIN headers seems like a really trivial task. Also the standard says that the policy is enforced in the browser, blocking the response if Access-Control-Allow-Origin is not correct. Obviously if anyone is trying to get that info, he will not use a standard browser to block it.

Answer

jcoder picture jcoder · Jan 31, 2011

The purpose is to prevent this -

  • You go to website X
  • The author of website X has written an evil script which gets sent to your browser
  • that script running on your browser logs onto your bank website and does evil stuff and because it's running as you in your browser it has permission to do so.

The ideas is that your bank's website needs some way to tell your browser if scripts on website X should be trusted to access pages at your bank.

Related questions

Origin is not allowed by Access-Control-Allow-Origin

I'm making an Ajax.request to a remote PHP server in a Sencha Touch 2 application (wrapped in PhoneGap). The response from the server is the following: XMLHttpRequest cannot load http://nqatalog.negroesquisso.pt/login.php. Origin http://localhost:8888 is not …

Read More
CORS error on same domain?

I'm running into a weird CORS issue right now. Here's the error message: XMLHttpRequest cannot load http://localhost:8666/routeREST/select?q=[...] Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin Two servers: localhost:8666/routeREST/ : this is a simple Python Bottle server. …

Read More
jQuery AJAX cross domain

Here are two pages, test.php and testserver.php. test.php <script src="scripts/jq.js" type="text/javascript"></script> <script> $(function() { $.ajax({url:"testserver.php", success:function() { alert("Success"); }, error:function() { alert("Error"); }, …

Read More