|
3 | 3 | "qhelp.dtd"> |
4 | 4 | <qhelp> |
5 | 5 |
|
6 | | -<overview> |
7 | | - <p> |
| 6 | + <overview> |
| 7 | + <p> |
8 | 8 |
|
9 | | - A server can use <code>CORS</code> (Cross-Origin Resource Sharing) to relax the |
10 | | - restrictions imposed by the <code>SOP</code> (Same-Origin Policy), allowing controlled, secure |
11 | | - cross-origin requests when necessary. |
| 9 | + A server can use CORS (Cross-Origin Resource Sharing) to relax the |
| 10 | + restrictions imposed by the Same-Origin Policy, allowing controlled, secure |
| 11 | + cross-origin requests when necessary. |
12 | 12 |
|
13 | | - A server with an overly permissive <code>CORS</code> configuration may inadvertently |
14 | | - expose sensitive data or lead to <code>CSRF</code> which is an attack that allows attackers to trick |
15 | | - users into performing unwanted operations in websites they're authenticated to. |
| 13 | + </p> |
| 14 | + <p> |
16 | 15 |
|
17 | | - </p> |
| 16 | + A server with an overly permissive CORS configuration may inadvertently |
| 17 | + expose sensitive data or enable CSRF attacks, which allow attackers to trick |
| 18 | + users into performing unwanted operations on websites they're authenticated to. |
18 | 19 |
|
19 | | -</overview> |
| 20 | + </p> |
| 21 | + </overview> |
20 | 22 |
|
21 | | -<recommendation> |
22 | | - <p> |
| 23 | + <recommendation> |
| 24 | + <p> |
23 | 25 |
|
24 | | - When the <code>origin</code> is set to <code>true</code>, it signifies that the server |
25 | | - is accepting requests from <code>any</code> origin, potentially exposing the system to |
26 | | - CSRF attacks. This can be fixed using <code>false</code> as origin value or using a whitelist. |
| 26 | + When the <code>origin</code> is set to <code>true</code>, the server |
| 27 | + accepts requests from any origin, potentially exposing the system to |
| 28 | + CSRF attacks. Use <code>false</code> as the origin value or implement a whitelist |
| 29 | + of allowed origins instead. |
27 | 30 |
|
28 | | - </p> |
29 | | - <p> |
| 31 | + </p> |
| 32 | + <p> |
30 | 33 |
|
31 | | - On the other hand, if the <code>origin</code> is |
32 | | - set to <code>null</code>, it can be exploited by an attacker to deceive a user into making |
33 | | - requests from a <code>null</code> origin form, often hosted within a sandboxed iframe. |
| 34 | + When the <code>origin</code> is set to <code>null</code>, it can be |
| 35 | + exploited by an attacker who can deceive a user into making |
| 36 | + requests from a <code>null</code> origin, often hosted within a sandboxed iframe. |
34 | 37 |
|
35 | | - </p> |
| 38 | + </p> |
| 39 | + <p> |
36 | 40 |
|
37 | | - <p> |
| 41 | + If the <code>origin</code> value is user-controlled, ensure that the data |
| 42 | + is properly sanitized and validated against a whitelist of allowed origins. |
38 | 43 |
|
39 | | - If the <code>origin</code> value is user controlled, make sure that the data |
40 | | - is properly sanitized. |
| 44 | + </p> |
| 45 | + </recommendation> |
41 | 46 |
|
42 | | - </p> |
43 | | -</recommendation> |
| 47 | + <example> |
| 48 | + <p> |
44 | 49 |
|
45 | | -<example> |
46 | | - <p> |
| 50 | + In the following example, <code>server_1</code> accepts requests from any origin |
| 51 | + because the value of <code>origin</code> is set to <code>true</code>. |
| 52 | + <code>server_2</code> uses user-controlled data for the origin without validation. |
47 | 53 |
|
48 | | - In the example below, the <code>server_1</code> accepts requests from any origin |
49 | | - since the value of <code>origin</code> is set to <code>true</code>. |
50 | | - And <code>server_2</code>'s origin is user-controlled. |
| 54 | + </p> |
51 | 55 |
|
52 | | - </p> |
| 56 | + <sample src="examples/CorsPermissiveConfigurationBad.js"/> |
53 | 57 |
|
54 | | - <sample src="examples/CorsPermissiveConfigurationBad.js"/> |
| 58 | + <p> |
55 | 59 |
|
56 | | - <p> |
| 60 | + To fix these issues, <code>server_1</code> uses a restrictive CORS configuration |
| 61 | + that is not vulnerable to CSRF attacks. <code>server_2</code> properly validates |
| 62 | + user-controlled data against a whitelist before using it. |
57 | 63 |
|
58 | | - In the example below, the <code>server_1</code> CORS is restrictive so it's not |
59 | | - vulnerable to CSRF attacks. And <code>server_2</code>'s is using properly sanitized |
60 | | - user-controlled data. |
| 64 | + </p> |
61 | 65 |
|
62 | | - </p> |
| 66 | + <sample src="examples/CorsPermissiveConfigurationGood.js"/> |
| 67 | + </example> |
63 | 68 |
|
64 | | - <sample src="examples/CorsPermissiveConfigurationGood.js"/> |
65 | | -</example> |
66 | | - |
67 | | -<references> |
68 | | - <li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin">CORS, Access-Control-Allow-Origin</a>.</li> |
69 | | - <li>W3C: <a href="https://w3c.github.io/webappsec-cors-for-developers/#resources">CORS for developers, Advice for Resource Owners</a></li> |
70 | | -</references> |
| 69 | + <references> |
| 70 | + <li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin">CORS, Access-Control-Allow-Origin</a>.</li> |
| 71 | + <li>W3C: <a href="https://w3c.github.io/webappsec-cors-for-developers/#resources">CORS for developers, Advice for Resource Owners</a>.</li> |
| 72 | + </references> |
71 | 73 | </qhelp> |
0 commit comments