2

I was working on a AWS project, and noticed that in order to allow CORS, my seniors had set headers property Access-Control-Allow-Origin, in response. So whole response was like:

module. exports.handlerFunction = async ( event, content) => {
    // code here for DB calls and other logic
    return {
        headers: {
            "Access-Content-Allow-Origin" : "*"
        },
        statusCode: 200,
        body: result
    };
}

And my thoughts were, how is it even working and allowing CORS?. What if we didn't wanted origin to perform any operations and had done "Access-Content-Allow-Origin": "https://example.com".

Since we are setting this in response, so the origin which was not supposed to do anything and just return, now have done everything and then responded with error of CORS. I asked my seniors, "How this is working and How CORS work?", the response was its browser property and browser send a pre-flight request and check for CORS. But we check for CORS at end, once every thing is done, how did pre-flight request skipped all our checks DB and API call and just landed at end and check for response headers. They had no answer and said same pre-flight concept. I asked next question "browser have pre-flight concept to check for CORS, what about postman, cUrl requests and then API call via various programs like node-fetch, request, https API call module in NodeJs do they also make pre flight call".

Also when I was creating my NodeJs express Server application, I used cors.js a NPM module. With that I checked for CORS before entering into any API function, on entry of every call and only allowed permitted source to enter. Code is like:

const CORS = require('cors'),
      express = require('express');

const app = express();

let allowedOrigin = ['https://example.com'];

let corsOps = {
    origin: (origin, cb) => {
        if (allowedOrigin.includes(origin))
            cb(null, true);
        else
            cb(new Error('Not allowed'));
   }
};

app.use(CORS(corsOps));

This checked before calling any function and not on response.

I searched a lot about this behavior and have seen multiple examples of using CORS in headers, How does it even work in headers?.

For me it's my backend that stops call and check who is calling backend API.

How can someone who is making requests set property in headers and backend open its access to anyone, just by seeing headers property and not checking source that called?

NAVIN
  • 3,193
  • 4
  • 19
  • 32
god_papa
  • 49
  • 9

1 Answers1

0

When browsers execute an AJAX call, they first check if the target origin matches the current origin a.k.a. window.location.origin. If not, they check if the target origin accept window.location.origin as source of a CORS request. If not, the browser shows the infamous No 'Access-Control-Allow-Origin' header is present on the requested resource. error message.

If the request can be made, the browser includes the Origin header in the HTTP request with the value of window.location.origin.

There are multiple ways to set up the CORS policy in the backend:

  1. Accept all origins with the wildcard
  2. Only accept a preconfigured set of origins
  3. Dynamically take the value of the Origin header as the value of the "Access-Content-Allow-Origin on a request by request basis

In the last case, the origin may be obviously spoofed like so:

curl -H"Origin: https://www.example.com" https://api.example.com/some/path

Whether or not a server should serve a request should not obviously depend on the Origin header but on other factors such as an Authorization header or an appropriate authorization Cookie; validity of request parameters etc.

Elias Toivanen
  • 838
  • 7
  • 12