14

I have a website with a separate subdomain for static files. I found out that I need to set the Access-Control-Allow-Origin header in order for certain AJAX features to work, specifically fonts. I want to be able to access the static subdomain from localhost for testing as well as from the www subdomain. The simple solution seeems to be Access-Control-Allow-Origin: *. My server uses nginx.

What are the main reasons that you might not want to use a wildcard for Access-Control-Allow-Origin in your response header?

cambunctious
  • 8,391
  • 5
  • 34
  • 53
  • That allows any browser based script to access your URL, if you don't want that then you would not use it. – Alex K. May 12 '16 at 17:20
  • 1
    See the answer at https://stackoverflow.com/a/43154277/441757. The only case when you’d not want to use the wildcard is for resources that are within an intranet behind a firewall; that is, resources which you can’t already access from anywhere using curl or Postman or whatever. If you *can* access a resource from anywhere using curl or Postman or such, then there’s no reason to avoid using the wildcard. Using the wildcard with resources that require authentication credentials is also bad, but even if you tried that you wouldn’t be able to anyway, because the CORS protocol doesn’t allow it. – sideshowbarker Jan 10 '20 at 12:19

4 Answers4

1

You might not want to use a wildcard when e.g.:

  1. Your web and let’s say its AJAX backend API are running on different domains, or just on different ports and you do not want to expose backend API to whole Internet, then you do not send *. For example your web is on http://www.example.com and backend API on http://api.example.com, then the API would respond with Access-Control-Allow-Origin: http://www.example.com.
  2. If the API wants to request cookies from client it must not send Access-Control-Allow-Origin: *, but its value must be the value of the origin from the actual request.
Michal Foksa
  • 11,225
  • 9
  • 50
  • 68
0
  1. For testing, actually adding entry in /ets/hosts file for 127.0.0.1/server-public-ip dev.mydomain.com is a decent workaround.
  • Other way can be to have another domain served by nginx itself like dev.mydomain.com pointing to the same/test-instance of backend servers & static-web-root with some security measures like:
satisfy all; 
allow <YOUR-CIDR/IP>;
deny all;
  1. Clarification on: Access-Control-Allow-Origin: *
  • This setting protects the users of your website from being scammed/hijacked while visiting other evil-websites in a modern-browser which respects this policy (all known browsers should do).
  • This setting does not protect the webservice from scraper scripts to access your static-assets & APIs at rapid speed - doing bruteforce attacks/bulk downloading/causing load etc.

P.S: (1) For development: you can consider using a free, low-footprint private-p2p vpn-like network b/w your development box & server: https://tailscale.com/

dsculptor
  • 341
  • 2
  • 8
-1

In my opinion, is that you could have other websites consuming your API without your explicit permission. Imagine you have an e-commerce, another website could do all the transactions using their own look and feel but backed by you, for you, in the end, it is good because you will get the money in the end but your brand will lose its "recognition". Another problem could be if this website would change the sent payload to your backend doing things like changing the delivery address and other things. The idea behind is just to not authorize unknown websites to consume your API and show its result to users.

Jayson Reis
  • 708
  • 5
  • 14
-1

You could use the hosts file to map 127.0.0.1 to your domain name, "dev.mydomain.com", as you do not like to use Access-Control-Allow-Origin: *.

sanigo
  • 625
  • 4
  • 14