What is the concept behind Access-Control-Allow-Origin and CORS?

Question

I don't really get Access-Control-Allow-Origin and CORS.
If I allow request from any domain to my page, does that imply any security issues for my page?

I always thought, that SOP ensures, that there can't run any script on a page, which requests data from another server, as that data might be malicious. But as the server, which serves the malicious data, can just reply with a header containing Access-Control-Allow-Origin:*, everything can be loaded from that server.
So as soon as somebody manages to inject a piece of JS code into a page, every malicious code can be loaded from a server belonging to the attacker.

Unitl now I assumed, that I would have to enable cross domain requests to allow code on my page to request data from another domain but it seems to be the other way round; the other domain has to allow my domain to request data. I don't really see the security benefits of this concept.
Could anybody explain the concepts behind this or tell me if I am getting it all wrong?

Answer 1

Given:

• Alice, a user with a browser
• Bob, a site owner with a website
• Mallory, a malicious site owner with a website

Alice has an account on Bob's server. Maybe it is her webmail. Maybe it is her online banking. Maybe it is somewhere she likes to shop.

Alice visits Mallory's website, not knowing that it is evil.

The Same Origin Policy prevents Mallory's website from using JavaScript to tell Alice's browser to make a request to Bob's website and give Alice's personal information (her bank balance for instance) to Mallory's website (and therefore to Mallory).

(Sometimes the request will be blocked because the conditions require a pre-flight request, other times the request will go through but the response will not be provided to Mallory's site. Look up CSRF if you want to defend against attacks where the danger lies in what the server does when it gets the request rather then in information leaking from the response).

CORS allows Bob to say that a resource on his website does not contain any personal information so that it is safe to allow other sites to access it (or that a particular site can be trusted with the personal information).

So as soon as somebody manages to inject a piece of JS code into a page,

XSS is a completely different security problem. You need to prevent people injecting JS.