2

I was researching the purpose of CORS headers, and the accepted answer here: What is the issue CORS is trying to solve? says, that the reason for its existence is, to prevent cookies unintentionally being sent to external sites when making HTTP requests from JS (fetch or XMLHttpRequest).

Reading up on how cookies are handled based on the Set-Cookie documentation page, doesn't the SameSite=Strict cookie option obsolete CORS completely? It says:

means that the browser sends the cookie only for same-site requests, that is, requests originating from the same site that set the cookie. If a request originates from a different domain or scheme (even with the same domain), no cookies with the SameSite=Strict attribute are sent.

In summary both CORS headers and the SameSite=Strict option for the Set-Cookie header seem to solve the same problem. Why does both exist?

Balázs Édes
  • 13,452
  • 6
  • 54
  • 89
  • 1
    The purpose of CORS is most emphatically NOT _to prevent cookies accidentally being sent to external sites when making HTTP requests from JS_. CORS and SameSite can and do coexist; I've written a bit about this topic (albeit more from an attacker's perspective): https://jub0bs.com/posts/2022-08-04-scraping-the-bottom-of-the-cors-barrel-part1/#cors-vs-samesite – jub0bs Sep 19 '22 at 14:46
  • @jub0bs in case the purpose of CORS is not to prevent cookies to be unintentionally (probably better word) sent to external sites, could you elaborate on what the purpose of CORS is? If we leave out the cookie thing, in my view the only thing CORS prevents, is me creating a frontend app (running in modern browsers), that can talk to your backend - which doesn't list my apps origin in the pre-flight response. In what way does this help securing anything? – Balázs Édes Sep 19 '22 at 15:20
  • 1
    CORS is for selectively relaxing the [Same-Origin Policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)'s restrictions on cross-origin network access (both in terms of sending and reading). Typically, you want to configure CORS on some `https://api.example.com` server in order to allow client code running in the context of some other Web origin (e.g. `https://www.example.com`) to read the responses to requests it sends to `https://api.example.com`. – jub0bs Sep 19 '22 at 16:31
  • 1
    CORS doesn't help secure anything. Activating it only ever lifts some (or all) of the SOP's restrictions against cross-origin network access. – jub0bs Sep 19 '22 at 16:33
  • But I feel like your comment is straying away ("What is CORS for?") from your question ("SameSite vs CORS"). – jub0bs Sep 19 '22 at 16:38
  • @jub0bs you are completely right, let's stay focused. Let me ask with an example: What could go wrong, if my API responds to any option request with a CORS header, that allows any origin (I simply set `Access-Control-Allow-Origin` to whatever the `Origin` request header was), exposes every response headers, and allows any request methods to the client, but when I use cookies, I set `SameSite=Strict` on my `Set-Cookie` headers? Can you give me an example, how can this be damaging to me? – Balázs Édes Sep 19 '22 at 21:58
  • The `SameSite` attribute (even if you use the `Strict` value) only has effects on cross-site requests. But not all cross-origin requests are cross-site; see https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/. For instance, if an attacker finds a single instance of cross-site scripting on one of your subdomains, your server configured with such a permissive CORS policy will be at risk of leaking data to attackers via cross-origin attacks. – jub0bs Sep 20 '22 at 06:02
  • 1
    @jub0bs It looks like `The SameSite cookie attribute is not well understood.` is very true :D Thank you! – Balázs Édes Sep 20 '22 at 12:44
  • No problem. If the matter is clearer in your mind, can we close this question? Or perhaps you want to post a self-answer...? – jub0bs Sep 20 '22 at 15:16
  • @jub0bs happy to close it, if you feel like adding a summary answer (and you care about the points) I'll accept it. – Balázs Édes Sep 30 '22 at 10:13

0 Answers0