CORS: Difference between revisions

From Rice Wiki
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 3: Line 3:
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Cross-Origin Resource Sharing (CORS) - HTTP | MDN]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Cross-Origin Resource Sharing (CORS) - HTTP | MDN]


= Same-origin policy =
= Same-origin policy (SOP) =
Before talking about CORS, we must first understand a security mechanism called the '''same-origin policy'''. This policy restricts how a document or script loaded by one origin can interact with a resource from another origin.
Before talking about CORS, we must first understand a security mechanism called the '''same-origin policy'''.  


Two URLs have the same ''origin'' if they have the same protocol, port, and host.
Two URLs have the same ''origin'' if they have the same protocol, port, and host. SOP restricts how a document or script loaded by one origin can interact with a resource from another origin, isolating malicious documents.


This isolates potentially malicious documents. Consider a hacker website with a script that requests resources from our server. Since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy.
Consider a server authenticated via tokens stored in cookies. A hacker website can attempt to make a request to this server with the token stored in the browser cookies. However, since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy.


On the browser side, an HTTP header is attached to identify the origin. There are a series of steps to implement same-origin policy on the server side. For more information, see the [https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#how_to_block_cross-origin_access MDN article] (for my use case, Express ''cors'' module works fine).
==== Implementation ====
The same origin policy is built into the browser's ''fetch'' API so that browsers will attach a Origin header to the request. The server will then check that header and confirm that it is from the same origin.
 
==== Notes ====
We can assume that the origin isn't spoofed if and only if the request came from a browser. Anyone can put whatever they want in a request with a curl command. This is not a problem since SOP is intended to protect against other website using your resources (like authentication tokens). Presumably, the wouldn't be able to access your website without these resources.


= What is CORS =
= What is CORS =
'''Cross-Origin Resource Sharing''' (CORS) allows server
'''Cross-Origin Resource Sharing''' (CORS) allows server to bypass SOP securely.
 
[[Category:Cybersecurity]]

Latest revision as of 03:26, 5 March 2024

Sources

Same-origin policy (SOP)

Before talking about CORS, we must first understand a security mechanism called the same-origin policy.

Two URLs have the same origin if they have the same protocol, port, and host. SOP restricts how a document or script loaded by one origin can interact with a resource from another origin, isolating malicious documents.

Consider a server authenticated via tokens stored in cookies. A hacker website can attempt to make a request to this server with the token stored in the browser cookies. However, since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy.

Implementation

The same origin policy is built into the browser's fetch API so that browsers will attach a Origin header to the request. The server will then check that header and confirm that it is from the same origin.

Notes

We can assume that the origin isn't spoofed if and only if the request came from a browser. Anyone can put whatever they want in a request with a curl command. This is not a problem since SOP is intended to protect against other website using your resources (like authentication tokens). Presumably, the wouldn't be able to access your website without these resources.

What is CORS

Cross-Origin Resource Sharing (CORS) allows server to bypass SOP securely.