Best IT Recipes

Regarding client-side security, is CORS doing anything other than disruptive policies of the same origin?

(and if not, will this really improve client-side security?)

I think of a case where a script from server X uses XHR to get and run untrusted code from server Y (which supports CORS).

(obviously unreliable code rating is bad)

+5
javascript ajax cors same-origin-policy
Jun 05 2018-11-11T00:
source share
3 answers

I do not use CORS to improve security at all. I use CORS to access a well-known web service in a different domain with which I will not be allowed access without CORS. In my opinion, this is not due to a security improvement, but in order for data from one domain to be transferred to another.

+5
Jun 05 '11 at 6:21
source share

CORS is not related to security enhancement, but to weaken it (but only under certain conditions with the permission of the server).

If you want to access something from another server in an AJAX request without CORS, you are not allowed because of "security" (the same origin policy), and this is its end *. With CORS, another server can give permission to reduce this security barrier.

<sub> * Except for hacks such as JSONP, but this also requires permission from the Sub server>

+5
Mar 26 '12 at 11:30
source share

CORS undermines policies of the same origin, but selectively. For example, in the domain of the bank’s website, the CORS header will not be set at all (so that it retains the same origin in full), since no JavaScript loaded from other domains should make AJAX requests to the bank (or maybe they only allow partner site they trust). The CDN will probably set Access-Control-Allow-Origin "*", since it doesn’t matter if JavaScript loaded from another domain makes AJAX requests on the CDN.

+1
Mar 17 '15 at 18:16
source share


More articles:


All Articles