Understanding AJAX CORS and security considerations

by

As I learned from this post, when page from www.a.com makes AJAX request to www.b.com, then it’s the www.b.com that decides if request should be allowed or not.

Not quite. The request isn’t blocked (at least, if it is simple).

By default the JavaScript running on www.a.com is forbidden access to the response from www.b.com.

CORS allows www.b.com to give permission to the JavaScript on www.a.com to access the response.

But what is exactly secured on client in such model?

It stops the author of www.a.com from reading data from www.b.com using the browser of a User who has visited both sites and has been authenticated on www.b.com (and thus has access to data that isn’t public).

For example, Alice is logged into Google. Alice visits malicious.example which uses XMLHttpRequest to access data from gmail.com. Alice has a GMail account so the response has a list of the most recent email in her inbox. The same origin policy prevents malicious.example from reading it.

For example, hacker success to make XSS script injection to my page, then it makes AJAX request to his domain to store user data. So hackers domain will allow such request for sure.

Correct. XSS is a different security problem that needs to be addressed at source (i.e. at www.a.com and not in the browser).

More Related Contents:

  1. Origin is not allowed by Access-Control-Allow-Origin
  2. CORS error on same domain?
  3. Is CORS a secure way to do cross-domain AJAX requests?
  4. How does Access-Control-Allow-Origin header work?
  5. jQuery AJAX cross domain
  6. Loading cross-domain endpoint with AJAX
  7. How do I send a cross-domain POST request via JavaScript?
  8. Response to preflight request doesn’t pass access control check
  9. jQuery XML error ‘ No ‘Access-Control-Allow-Origin’ header is present on the requested resource.’
  10. how to bypass Access-Control-Allow-Origin?
  11. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  12. No ‘Access-Control-Allow-Origin’ header is present on the requested resource error
  13. Cross-Origin Read Blocking (CORB)
  14. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  15. Firefox ‘Cross-Origin Request Blocked’ despite headers [closed]
  16. Why does the preflight OPTIONS request of an authenticated CORS request work in Chrome but not Firefox?
  17. How do I send an AJAX request on a different port with jQuery?
  18. AngularJS POST Fails: Response for preflight has invalid HTTP status code 404
  19. Cross domain POST request is not sending cookie Ajax Jquery
  20. cross-origin ‘Authorization’-header with jquery.ajax()
  21. Javascript – No ‘Access-Control-Allow-Origin’ header is present on the requested resource
  22. Canvas tainted by cross-origin data
  23. Cross-origin resource sharing (CORS) concept
  24. CORS cookie credentials from mobile WebView loaded locally with file://
  25. Javascript module not working in browser?
  26. CORS error for application running from file:// scheme
  27. How does the ‘Access-Control-Allow-Origin’ header work?
  28. Microsoft Edge blocked cross-domain requests sent to IPs in same private network CIDR
  29. XMLHttpRequest: Network Error 0x80070005, Access is denied on Microsoft Edge (but not IE)
  30. CORS error with jquery

Leave a Comment