CORS: Difference between revisions
| No edit summary | |||
| (2 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
| * [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Cross-Origin Resource Sharing (CORS) - HTTP | MDN] | * [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Cross-Origin Resource Sharing (CORS) - HTTP | MDN] | ||
| = Same-origin policy = | = Same-origin policy (SOP) = | ||
| Before talking about CORS, we must first understand a security mechanism called the '''same-origin policy''' | Before talking about CORS, we must first understand a security mechanism called the '''same-origin policy'''.   | ||
| Two URLs have the same ''origin'' if they have the same protocol, port, and host. | Two URLs have the same ''origin'' if they have the same protocol, port, and host. SOP restricts how a document or script loaded by one origin can interact with a resource from another origin, isolating malicious documents. | ||
| Consider a server authenticated via tokens stored in cookies. A hacker website can attempt to make a request to this server with the token stored in the browser cookies. However, since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy. | |||
| ==== Implementation ==== | ==== Implementation ==== | ||
| The same origin policy  | The same origin policy is built into the browser's ''fetch'' API so that browsers will attach a Origin header to the request. The server will then check that header and confirm that it is from the same origin. | ||
| ==== Notes ==== | |||
| We can assume that the origin isn't spoofed if and only if the request came from a browser. Anyone can put whatever they want in a request with a curl command. This is not a problem since SOP is intended to protect against other website using your resources (like authentication tokens). Presumably, the wouldn't be able to access your website without these resources. | |||
| = What is CORS = | = What is CORS = | ||
| '''Cross-Origin Resource Sharing''' (CORS) allows server | '''Cross-Origin Resource Sharing''' (CORS) allows server to bypass SOP securely. | ||
| [[Category:Cybersecurity]] | |||
Latest revision as of 03:26, 5 March 2024
Sources
Same-origin policy (SOP)
Before talking about CORS, we must first understand a security mechanism called the same-origin policy.
Two URLs have the same origin if they have the same protocol, port, and host. SOP restricts how a document or script loaded by one origin can interact with a resource from another origin, isolating malicious documents.
Consider a server authenticated via tokens stored in cookies. A hacker website can attempt to make a request to this server with the token stored in the browser cookies. However, since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy.
Implementation
The same origin policy is built into the browser's fetch API so that browsers will attach a Origin header to the request. The server will then check that header and confirm that it is from the same origin.
Notes
We can assume that the origin isn't spoofed if and only if the request came from a browser. Anyone can put whatever they want in a request with a curl command. This is not a problem since SOP is intended to protect against other website using your resources (like authentication tokens). Presumably, the wouldn't be able to access your website without these resources.
What is CORS
Cross-Origin Resource Sharing (CORS) allows server to bypass SOP securely.

