Usefulness of Same Origin Policy with CORS

StackOverflow https://stackoverflow.com/questions/21757343

Question

I have read some articles on Same Origin Policy and CORS and still doesn't understand well the security that it brings to the user.

The Same Origin Policy gives a true valuable security, preventing a site from an origin from accessing some webpage content on another website. Thus preventing the threat of having the content of a iframe accessed by the script of the container, possibly faked/phishing website.

But here comes AJAX and CORS. CORS gives the ability for the server to control which origins can access it. But, at the end, it is the browser which stops the request if not allowed, after headers handcheck.

So, imagine you get some malicious website myphishing.com. You want to show information from another trusted website mybank.com through AJAX request to this site. This one is protected by well configured CORS headers only allowing request from mybank.com origin. What if, me author of myphising.com, relay all requests to mybank.com by a proxy that alter headers in both request and response way to fake client browser and bank server? It seems one can change the origin header in the request for a mybank.com one, and change the CORS response headers to make the browser think myphishing.com is allowed to make the request. Headers handcheck passed, you can then send the request and get the response with similar headers substitution tricks.

Perhaps I'm totally misleaded, but I would be very pleased if someone could show me where I have misunderstand the whole thing.

Possible duplicate but I didn't find my answer here: What is the threat model for the same origin policy?.

Was it helpful?

Solution

What if, me author of myphising.com, relay all requests to mybank.com by a proxy that alter headers in both request and response way to fake client browser and bank server?

You could do that anyway, CORS or no CORS.

If the request is coming from your proxy, however, then it has no way to know what credentials the browser would have sent to the server if the request was coming from the browser.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top