0

This is a conceptual question, so most likely I'm missing something. From reading about it, CORS is meant to protect the secondary site, not the primary site. Glossing over, hopefully, unimportant details, the use case seems to go like this: a page loads from a.com and then attempts to fetch from b.com. In order to protect b.com the browser will follow the CORS spec by asking b.com if it's okay to share its data with a.com. This seems odd to me for two reasons:

  1. I can write a program to hit b.com directly, with any headers I please and ignoring preflight. Protecting b.com, it would seem to me, should be its own responsibility and if it's not willing to serve everyone, it should implement authentication.

  2. The use case I thought the CORS spec is designed to address, is protecting the origin site a.com. Use case: I convince someone to use my handy-dandy.js on her site, because handy-dandy.js does something really cool. What it also does is scrape the DOM for interesting data, like credit cards, and send it via a back door to my server b.com, which is happy to accept anything from anywhere.

Thanks in advance!

EDIT: As pointed out by daniel f., an earlier ticket subsumes this one.

Igor Urisman
  • 717
  • 1
  • 6
  • 22
  • 2
    It's meant to protect the user, not the server. *"I can write a program to hit b.com directly, with any headers I please and ignoring preflight."* - Indeed. You can also write a program which deletes every file on a hard drive, or grabs cookies from a user's browser and performs actions on their bank's website, or anything else you like. But for a user to be affected by that program they would need to install and run it, not just visit a website. – David Mar 22 '23 at 18:35
  • Thanks, @David. Could you give a use case where CORS protects a user just visiting a website from a risk that she'd be exposed to without CORS? – Igor Urisman Mar 22 '23 at 20:16
  • 1
    Suppose a user is logged in to their bank with a local cookie. Some time later the user visits a malicious site which sends AJAX requests to popular banks to perform malicious tasks. Without enforcing the Same Origin Policy, the attack would proceed and the user would have no idea. – David Mar 22 '23 at 20:27
  • Thanks, @David. That's exactly what I've been missing. – Igor Urisman Mar 23 '23 at 15:52

1 Answers1

1

Two main things to understand:

  • CORS does not increase security, it actually allows to deliberately "weaken" it. CORS allows to define exceptions to the Same Origin Policy (SOP) enforced by browsers.

  • SOP is not about protecting a ressource from being accessed, it is about protecting the User from having an attacker access a ressource he (the User) has access to. See a previous answer of mine for additional clarifications.

daniel f.
  • 1,421
  • 1
  • 13
  • 24