Proper CORS Setup
The modern browsers try to prevent the Cross-origin request forgery attack with a security mechanism aka SOP (Same Origin Policy).
The CORS settings is going to open some restrictions of the SOP and relaxing that.
I would Interpret The Proper CORS Setup to having:
- a browser with SOP feature
- allow cors headers to not be
*
or <request-origin-host>
(just being the hosts which are trusted)
SOP Restrictions
if any page requests for cross-origins, there are 3 policies:
- write-request like: link, redirects, xhr, form submitions (allow) (Rule 1)
- embeding-request like:
<script>, <link>, <img>, <video>, <audio>, <object>, <embed>, @font-face, <iframe>
(allow) (Rule 2)
- read requests (disallow) (Rule 3)
Among the above the first option (write-request) are subject to abuse for cross site request forgery.
The SOP mechanism just ALLOWED these write requests
Why?
- for backward compatibility with the existing websites
- convenient development & usage (just think if there exists a complex solution for a redirection what would happened!!! )
The only help that the Browser SOP does for this step is to send a pre-flight request for the resource-changing (POST/PUT/...) XHR requests
note: in future steps it will helps more than this
in the pre-flight request, the server sends the CORS Allow Header and browser finds out that if the resource changing request is allowed or not.
for example: if there is a form with post method which change a resource on server, the CORS Allowance Header will get received from server, but resource on server already has been changed. (antidote after sohrab's death )
SOP will prevent CSRF attack on xhr requests & not the
application/x-www-form-urlencoded requests
- there can be a form on
evil.example
or an script can append a form in DOM and automatically sending that.
or the xhr preflight it self may not prevent as we expected because:
- in some browser it can be disabled because of performance (not having 2 requests)
- if Origin header not set
- Server may allow
*
- some bugs on preflight request expose the functionalities ...
CSRF-Token Mechanism
CSRF token can be used on both form and xhr requests.
CSRF-token mechanism prevents the CSRF attack if only if CSRF Token
not exposed to cross-origin malicious scripts
but this scenario can be imaginable that: an script on malicious website:
- first request for the form (aka edit form or delete form) & get the token
- then send the token with application/x-www-form-urlencoded or xhr
SOP Supports CSRF-token
I have mentioned that SOP Restricts The Read request.
and only allowed the read requests which are embeded.
so SOP will prevent the CSRF-token to get exposed by an malicious script (getting the form & creating a fake form with the token) if:
- Proper CORS Setup
- the form cannot get embedded
TL;DR
The SOP mechanism (with Rule #1) (Proper CORS setup) can prevent only CSRF xhr (can have some flaws in implementations) (canot protect all scenarios)
The CSRF-Token can protect CSRF Attack if the token hasn't get compromised
The SOP mechanism (with Rule #3) can protect CSRF-token & CSRF-token protect users from CSRF-attack
We should make attention to not compromise the CSRF-token with embedded resource Rule (Rule #2). (mostly iframe abuse)
MDN How to block cross-origin access
- To prevent cross-origin writes, check an unguessable token in the request — known as a Cross-Site Request Forgery (CSRF) token. You must
prevent cross-origin reads of pages that require this token.
- To prevent cross-origin reads of a resource, ensure that it is not embeddable. It is often necessary to prevent embedding because
embedding a resource always leaks some information about it.
- To prevent cross-origin embeds, ensure that your resource cannot be interpreted as one of the embeddable formats listed above. Browsers
may not respect the Content-Type header. For example, if you point a
tag at an HTML document, the browser will try to parse the
HTML as JavaScript. When your resource is not an entry point to your
site, you can also use a CSRF token to prevent embedding.
Further Readings
Same Origin Policy
CSRF Token mechanisms (implementation in The Laravel)