0

I recently got my hands on an relatively old cordova app for iOS (iphones), which was built around one year ago, in order to debug it.

The app queries an API from a server. This server is built using Laravel and makes use of laravel-cors.

For a peculiar reason, the developers of this app have set up CORS server-side to accept requests, only if the Origin header is missing.

I was told that the app was working just fine for the past year. While debugging it, I noticed that the iOS browser adds origin => 'file://' to its headers, when cordova app uses $.ajax for doing requests

And now for my questions

Are you aware of such a change on newer iOS verions? I suppose I can't do anything client-side in order to bypass it?

How safe is to add "file://" as an accepted origin, server-side?

Thanks a ton!

mitsest
  • 305
  • 3
  • 19
  • 1
    In my memories, the CORS security is a client-side security that is being used by browsers to check if the user can make a request to a certain server. So, basically, for a Cordova App you don't need to implement CORS on server side. You might need it during development if you test your app on a browser tho – Hammerbot Sep 27 '16 at 10:18
  • You 're right, and I also made the devs aware of this, but they told me to avoid tampering with the server if possible. So, I ended up using https://github.com/wymsee/cordova-HTTP to bypass my issues with CORS. So, I 'll have to change every $.ajax call into cordovaHTTP.post. Bah, could be worse!!! – mitsest Sep 27 '16 at 11:30
  • 1
    @El_Matella Very often the same server-side is used for both Cordova and non-Cordova (browser) apps. So one can't just turn off CORS without increasing the attack surface for regular browser clients. Cordova simply shouldn't be sending this Origin. – Raman Sep 27 '16 at 13:16
  • My colleague asked the same question here: http://stackoverflow.com/questions/39713671/how-to-remove-the-origin-header-from-cordova-rest-calls?noredirect=1&lq=1 – Raman Sep 27 '16 at 13:36

1 Answers1

1

The reason the server accepts null-Origin isn't "peculiar" -- that is how CORS is defined to work. It is intended to protect against browser-based XSS attacks -- browsers send the Origin header automatically so the server can accept or reject the request based on which domain(s) they allow javascript calls from. It is intended as a safe standards-based successor to the JSONP hack to allow cross-origin server requests, but in a controlled way. By default, browsers require and allow only same-origin XHRs and other similar requests (full list).

CORs is undefined for non-browser clients, since non-browser clients can set whatever Origin they want to anyway (e.g. curl), so in those cases it makes sense to just leave off the Origin header completely.

To answer part of your question, it is not (very) safe to add file:// as an accepted origin server-side. The reason is that an attacker wishing to bypass CORS protections could trick a user into downloading a web page to their filesystem and then executing it in their browser -- thus bypassing any intended Origin restrictions since file:// is in the allowed list. There may also be other exploits, known and unknown, that could take advantage of servers that accept a file:// origin.

You'll have to evaluate the risks of adding this based on your own project requirements.

Raman
  • 17,606
  • 5
  • 95
  • 112
  • Yeah, I feared this would be the answer...Thanks for your time! I ended up using https://github.com/wymsee/cordova-HTTP for my ajax requests. – mitsest Sep 27 '16 at 14:23
  • @mitsest Thanks for the tip on `cordova-HTTP`. I'm going to look into it as well. – Raman Sep 27 '16 at 15:39