1

Why do I need to set Access-Control-Allow-Origin to * for an MP3 file so that it can be loaded by websites of other domains? What's the security risk with this?

Or is it just to prevent other's from display content that you didn't authorize them to (assuming browsers support CORS)?

trusktr
  • 44,284
  • 53
  • 191
  • 263
  • See https://stackoverflow.com/a/27431853/6680611 – cartant Dec 23 '17 at 06:59
  • @cartant That doesn't explain why reading a media file is a security concern. Or is it about protecting other people's content from being read, and not about security? If so, that is weird. There's plenty of other ways to get the content of an MP3 file if one really wants to... I am just trying to understand how blocking a script from reading an MP3 file is of value for security. – trusktr Dec 29 '17 at 06:47
  • Yes. Cross-origin reading in general (not just for MP3 files) is disallowed, with CORS being opt-in. – cartant Dec 29 '17 at 07:36

1 Answers1

1

Most video players are initialized using JS in script tags, and video is fetch through a XMLHttpRequest.

According to the docs:

For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request HTTP resources from the same domain the application was loaded from unless CORS headers are used.

So for security and to prevent data breach, CORS headers are required.

Ayush Gupta
  • 8,716
  • 8
  • 59
  • 92
  • I know, but how is downloading an MP3 file inside a web site specifically a security concern? I don't see how it is... – trusktr Dec 29 '17 at 06:37
  • 2
    Data Breach issue for the server, rather than the client – Ayush Gupta Dec 29 '17 at 06:39
  • Say, If i want a video `http://example.com/example.mp4` run on `http://example.com` only, I will not send the CORS header. In this way, some 3rd party website will not be able to fetch the video from my server using JS `script` tags – Ayush Gupta Dec 29 '17 at 06:41
  • 1
    In the sense of protecting people's copyrights and IP, that makes sense. However, this doesn't prevent the determined copyright violator from downloading the MP3 file in some other way, and therefore CORS is only causing problems due to various browser inconsistencies and bugs. For example, It's my own darn content I'm trying to use on different domains and Chrome won't let me even though my content has `Access-Control-Allow-Origin` set to "*"! I am just not liking CORS right now (or maybe I'm not liking Chrome). – trusktr Dec 29 '17 at 06:54
  • 1
    But chrome doesn't KNOW that, it only knows that you're requestion a resouce from an external site. And while it might seem pointless for videos, considering you cant really generalise video URLs, and CORS in real REST calls is a good thing, it makes sense to me. – Ayush Gupta Dec 29 '17 at 06:57
  • What I don't get is why I can't read the audio file even though the audio file has the header Access-Control-Allow-Origin set to "*". I made an issue about it: https://bugs.chromium.org/p/chromium/issues/detail?id=798043 – trusktr Dec 29 '17 at 07:10
  • I see, so if we're logged into youtube, but we visit something-else.com, and something-else.com knows the URL format for videos on youtube, then they could request them on our behalf and youtube wouldn't know, which would be bad because then that website could upload our private videos to their server. – trusktr Jan 02 '18 at 08:37
  • Before CORS existed, what did people do to prevent this? – trusktr Jan 02 '18 at 08:38