-2

I was searching the reason behind CORS disabling on browsers by default. I thought i found an answer with an example in an old post

Why is CORS without credentials forbidden?The main concern here is access control based on network topology. Suppose you run a HTTP service on your home network (in fact, you almost certainly do, if your router itself has a Web interface). We'll call this service R, and the only machines connected to your home router can get to the service. When your browser visits evil.example.com, that site serves your browser a script, telling it to fetch the contents of R and send it back to evil.example.com. This is potentially bad, even without credentials, because it's a violation of the assumption that no one outside your local network can view the services running inside your local network. The same-origin policy stops this from happening.

then I actually read an observation about CORS mechanism that sounds fine

Why is CORS Disabled by Default?CORS is based on the response headers returned from the API. It is not the API that rejects responding to the request, the web browser explicitly disallows handling the response. The API will process the request as normal.

Thus my doubt about the first quoted "example": since enabling CORS is done trough setting the right headers(Access-Control-Allow-Origin, ...) into server responses, what kind of protection would be if to bypass it, "evil.example.com" simply has to "set the headers into his responses to enable CORS on the client"?

If so, is there any other simple example on why CORS is disabled?

barsyu435
  • 53
  • 1
  • 6

1 Answers1

0

CORS is a system that disables the Same Origin Policy. It is a means to relax security, not a security feature.

The Same Origin Policy prevents Site Evil from reading data from Site Secret using the user's browser (and credentials).

Site Evil can't add the CORS headers to disable the Same Origin Policy and allow it to read Site Secret. Only Site Secret can do that.

The Same Origin Policy does not defend against CSRF attacks. Site Trusted should take steps to ensure it is not vulnerable to CSRF if it allows an HTTP request to make a change that require authentication.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • About "Site Evil can't add the CORS headers to disable the Same Origin Policy and allow it to read Site Secret. Only Site Secret can do that." Could you detail this a little more? If an user(client on doman X) goes on site evil (domain Y), thus sending a request to it, why can't site evil simply add CORS headers into the response - with malevolent scripts - to let the user handle the request with the malevolent script? – barsyu435 Jan 30 '19 at 18:35
  • @barsyu435 — A response from site evil can grant permission, via CORS, for other sites JavaScript to access site evil. Only Site Trusted can add headers to Site Trusted. – Quentin Jan 30 '19 at 20:21