Having a permissive Cross-Origin Resource Sharing policy is security-sensitive. It has led in the past to the following vulnerabilities:
Same origin policy in browsers prevents, by default and for
security-reasons, a javascript frontend to perform a cross-origin HTTP request to a resource that has a different origin (domain, protocol, or port)
from its own. The requested target can append additional HTTP headers in response, called CORS, that act like directives for the browser and change the access control policy
/ relax the same origin policy.
Ask Yourself Whether
- You don’t trust the origin specified, example:
Access-Control-Allow-Origin: untrustedwebsite.com
.
- Access control policy is entirely disabled:
Access-Control-Allow-Origin: *
- Your access control policy is dynamically defined by a user-controlled input like
origin
header.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- The
Access-Control-Allow-Origin
header should be set only for a trusted origin and for specific resources.
- Allow only selected, trusted domains in the
Access-Control-Allow-Origin
header. Prefer whitelisting domains over blacklisting or
allowing any domain (do not use * wildcard nor blindly return the Origin
header content without any checks).
Sensitive Code Example
PHP built-in header function:
header("Access-Control-Allow-Origin: *"); // Sensitive
Laravel:
response()->header('Access-Control-Allow-Origin', "*"); // Sensitive
Symfony:
use Symfony\Component\HttpFoundation\Response;
$response = new Response(
'Content',
Response::HTTP_OK,
['Access-Control-Allow-Origin' => '*'] // Sensitive
);
$response->headers->set('Access-Control-Allow-Origin', '*'); // Sensitive
User-controlled origin:
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Request;
$origin = $request->headers->get('Origin');
$response->headers->set('Access-Control-Allow-Origin', $origin); // Sensitive
Compliant Solution
PHP built-in header function:
header("Access-Control-Allow-Origin: $trusteddomain");
Laravel:
response()->header('Access-Control-Allow-Origin', $trusteddomain);
Symfony:
use Symfony\Component\HttpFoundation\Response;
$response = new Response(
'Content',
Response::HTTP_OK,
['Access-Control-Allow-Origin' => $trusteddomain]
);
$response->headers->set('Access-Control-Allow-Origin', $trusteddomain);
User-controlled origin validated with an allow-list:
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Request;
$origin = $request->headers->get('Origin');
if (in_array($origin, $trustedOrigins)) {
$response->headers->set('Access-Control-Allow-Origin', $origin);
}
See