What security risks exist when setting Access-Control-Allow-Origin to accept all domains?

by

By responding with Access-Control-Allow-Origin: *, the requested resource allows sharing with every origin. This basically means that any site can send an XHR request to your site and access the server’s response which would not be the case if you hadn’t implemented this CORS response.

So any site can make a request to your site on behalf of their visitors and process its response. If you have something implemented like an authentication or authorization scheme that is based on something that is automatically provided by the browser (cookies, cookie-based sessions, etc.), the requests triggered by the third party sites will use them too.

This indeed poses a security risk, particularly if you allow resource sharing not just for selected resources but for every resource. In this context you should have a look at When is it safe to enable CORS?.

Update (2020-10-07)

Current Fetch Standard omits the credentials when credentials mode is set to include, if Access-Control-Allow-Origin is set to *.

Therefore, if you are using a cookie-based authentication, your credentials will not be sent on the request.

More Related Contents:

  1. Cross-Domain AJAX doesn’t send X-Requested-With header
  2. CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true
  3. What’s the point of the X-Requested-With header?
  4. What is the motivation behind the introduction of preflight CORS requests?
  5. Same origin Policy and CORS (Cross-origin resource sharing)
  6. CORS issue while making an Ajax request for oauth2 access token
  7. API Gateway CORS: no ‘Access-Control-Allow-Origin’ header
  8. Why the cross-domain Ajax is a security concern?
  9. Access denied in IE 10 and 11 when ajax target is localhost
  10. $http.get is not allowed by Access-Control-Allow-Origin but $.ajax is
  11. Set-Cookie on Browser with Ajax Request via CORS
  12. Ajax call bug with Chrome new version 73.0.3683.75?
  13. Enable CORS in Golang
  14. Using the HTTP Range Header with a range specifier other than bytes?
  15. Web sockets make ajax/CORS obsolete?
  16. Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at
  17. Cross-Origin Request Blocked
  18. How to block external http requests? (securing AJAX calls)
  19. Who can explain this ajax code for me [closed]
  20. Keep p:dialog open when a validation error occurs after submit
  21. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘…’ is therefore not allowed access
  22. How to get response status code from jQuery.ajax?
  23. Google Maps API throws “Uncaught ReferenceError: google is not defined” only when using AJAX
  24. How to enable cross-domain request on the server?
  25. Cross Domain Resource Sharing GET: ‘refused to get unsafe header “etag”‘ from Response
  26. How to allow CORS in react.js?
  27. Does Vue.JS work with AJAX http calls?
  28. Stop the browser “throbber of doom” while loading comet/server push iframe
  29. List of events
  30. ICEfaces libary in classpath prevents Save As dialog from popping up on file download

Leave a Comment