I see that setting "*" wildcard is security risk i.e.
Access-Control-Allow-Origin: "*"
What i would liked to know are there any security risk in setting of concrete domain i.e.
Access-Control-Allow-Origin: http://www.example.com
Asked
Active
Viewed 7,404 times
6
Vladimir Bozic
- 434
- 6
- 18
-
Frits van Campen Thanks possible browser issues is what i was worried about, as you say and as far as i can see that is not something to be worried about. Great blog post, Thanks again. – Vladimir Bozic Feb 20 '13 at 12:21
1 Answers
8
CORS headers are typically used for JavaScript AJAX request. Browsers have a built-in safety mechanism that doesn't allow you to query other domains unless they explicitly allow it by setting these CORS headers.
There isn't much of a security risk really. You can always send malicious requests anyway. Browsers just collectively decide to play nice.
One thing to be aware of is that you don't necessarily always want to send the
Access-Control-Allow-Origin: http://www.example.com
header. This could potentially lead people to all the domains that make use of your API. My recommendation is that you only emit the header if it is necessary, ie. you get an OPTIONS request from a whitelisted domain.
I wrote a blog post about this recently: http://fritsvancampen.wordpress.com/2013/02/03/cross-site-origin-requests-aka-cross-origin-resource-sharing/
Halcyon
- 57,230
- 10
- 89
- 128