Is it possible to trap CORS errors?

by

See:

…as well as notes in XHR Level 2 about CORS:

The information is intentionally filtered.

Edit many months later: A followup comment here asked for “why”; the anchor in the first link was missing a few characters which made it hard to see what part of the document I was referring to.

It’s a security thing – an attempt to avoid exposing information in HTTP headers which might be sensitive. The W3C link about CORS says:

User agents must filter out all response headers other than those that are a simple response header or of which the field name is an ASCII case-insensitive match for one of the values of the Access-Control-Expose-Headers headers (if any), before exposing response headers to APIs defined in CORS API specifications.

That passage includes links for “simple response header”, which lists Cache-Control, Content-Language, Content-Type, Expires, Last-Modified and Pragma. So those get passed. The “Access-Control-Expose-Headers headers” part lets the remote server expose other headers too by listing them in there. See the W3C documentation for more information.

Remember you have one origin – let’s say that’s the web page you’ve loaded in your browser, running some bit of JavaScript – and the script is making a request to another origin, which isn’t ordinarily allowed because malware can do nasty things that way. So, the browser, running the script and performing the HTTP requests on its behalf, acts as gatekeeper.

The browser looks at the response from that “other origin” server and, if it doesn’t seem to be “taking part” in CORS – the required headers are missing or malformed – then we’re in a position of no trust. We can’t be sure that the script running locally is acting in good faith, since it seems to be trying to contact servers that aren’t expecting to be contacted in this way. The browser certainly shouldn’t “leak” any sensitive information from that remote server by just passing its entire response to the script without filtering – that would basically be allowing a cross-origin request, of sorts. An information disclosure vulnerability would arise.

This can make debugging difficult, but it’s a security vs usability tradeoff where, since the “user” is a developer in this context, security is given significant priority.

More Related Contents:

  1. Why does my http://localhost CORS origin not work?
  2. AngularJS: No “Access-Control-Allow-Origin” header is present on the requested resource [duplicate]
  3. Cannot access cssRules from local css file in Chrome 64
  4. How do I access the link to the content? [closed]
  5. javascript “if” statement returning false value when both values are equal
  6. How to detect if JavaScript is disabled?
  7. Detect all changes to a (immediately) using JQuery
  8. When should I use Inline vs. External Javascript?
  9. Disable form auto submit on button click
  10. Pass vars to JavaScript via the SRC attribute
  11. Convert SVG to PNG with applied images as background to svg elements
  12. How can I open a link in new tab (and not new window)? [duplicate]
  13. Dashed border animation in css3 animation
  14. Adding images in JSfiddle [closed]
  15. How do I put codes from jsfiddle.net into my website?
  16. jQuery – Redirect with post data
  17. IE8 alternative to window.scrollY?
  18. CSS: Change parent on focus of child
  19. Click on option event
  20. Attach event listener through javascript to radio button
  21. swfobject.embedSWF not working?
  22. How to filter input type=”file” dialog by specific file type?
  23. How can I request an increase to the HTML5 localstorage size on iPad, like the FT web app does?
  24. Convert dropdown to selection boxes with color and trigger drop down action
  25. How to trigger change when using the back button with history.pushstate and popstate?
  26. Javascript click event handler – how do I get the reference to the clicked item?
  27. how to auto select an input field and the text in it on page load
  28. javascript close current window
  29. onclick calling hide-div function not working
  30. Owl Carousel Won’t Autoplay

Leave a Comment