CORS: Difference between revisions

From Rice Wiki
Line 3: Line 3:
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Cross-Origin Resource Sharing (CORS) - HTTP | MDN]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Cross-Origin Resource Sharing (CORS) - HTTP | MDN]


= Same-origin policy =
= Same-origin policy (SOP) =
Before talking about CORS, we must first understand a security mechanism called the '''same-origin policy'''. This policy restricts how a document or script loaded by one origin can interact with a resource from another origin.
Before talking about CORS, we must first understand a security mechanism called the '''same-origin policy'''.  


Two URLs have the same ''origin'' if they have the same protocol, port, and host.
Two URLs have the same ''origin'' if they have the same protocol, port, and host. SOP restricts how a document or script loaded by one origin can interact with a resource from another origin, isolating malicious documents.


This isolates potentially malicious documents. Consider a hacker website with a script that requests resources from our server. Since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy.
Consider a server authenticated via tokens stored in cookies. A hacker website can attempt to make a request to this server with the token stored in the browser cookies. However, since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy.


==== Implementation ====
==== Implementation ====
The same origin policy is implemented on the browser. It is built into the ''fetch'' API so that browsers will attach a Origin header to the request.
The same origin policy is built into the browser's ''fetch'' API so that browsers will attach a Origin header to the request. The server will then check that header and confirm that it is from the same origin.
 
==== Notes ====
We can assume that the origin isn't spoofed if and only if the request came from a browser. Anyone can put whatever they want in a request with a curl command. This is not a problem since SOP is intended to protect against other website using your resources (like authentication tokens). Presumably, the wouldn't be able to access your website without these resources.


= What is CORS =
= What is CORS =
'''Cross-Origin Resource Sharing''' (CORS) allows server
'''Cross-Origin Resource Sharing''' (CORS) allows server

Revision as of 19:50, 3 March 2024

Sources

Same-origin policy (SOP)

Before talking about CORS, we must first understand a security mechanism called the same-origin policy.

Two URLs have the same origin if they have the same protocol, port, and host. SOP restricts how a document or script loaded by one origin can interact with a resource from another origin, isolating malicious documents.

Consider a server authenticated via tokens stored in cookies. A hacker website can attempt to make a request to this server with the token stored in the browser cookies. However, since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy.

Implementation

The same origin policy is built into the browser's fetch API so that browsers will attach a Origin header to the request. The server will then check that header and confirm that it is from the same origin.

Notes

We can assume that the origin isn't spoofed if and only if the request came from a browser. Anyone can put whatever they want in a request with a curl command. This is not a problem since SOP is intended to protect against other website using your resources (like authentication tokens). Presumably, the wouldn't be able to access your website without these resources.

What is CORS

Cross-Origin Resource Sharing (CORS) allows server