upvote

points

by hn_throwaway_9915 hours ago |
comments
upvoteby ctidd14 hours ago|
next
[-]
All CORS does is allow for selective loosening of anti-CSRF controls. CORS is a mechanism for a service to tell a client “I’m CSRF-resistant” so that that the client doesn’t need to protect its user as tightly when interacting with that service.
reply
upvoteby webstrand13 hours ago|
parent|
[-]
Isn't CSRF about forging mutating requests? CORS doesn't block the underlying GET/POST request, the request still goes through and the server still needs to properly implement CSRF prevention. CORS just prevents javascript from reading the response.

CORS _additionally_ requires OPTIONS pre-flight to succeed, before allowing any kind of request outside of what can be achieved with a HTML form submit action. So it blocks PUT/PATCH/DELETE, specifying most Content-Type, and specifying nearly all other headers. But this is just blocking "non-standard complex requests that might confuse badly programmed pre-javascript-era servers".

It passes all standard requests that you could have made by: embedding the url as an image src, the target of a HTML form, endpoint for csp reports, etc. All still need to be checked methodically by the server for CSRF if it's going to take any mutating action due to the request.

reply
upvoteby ctidd1 hours ago|
parent|
next
[-]
CSRF can compromise the non-mutating path as well to exfiltrate data, but the mutating path and non-mutating are different, hence the OPTIONS preflight required prior to sending mutating requests.

The browser enforces the same-origin policy by preventing read on non-mutating (i.e. “simple”) request responses and preventing sending of mutating requests (i.e. non-“simple”). CORS provides a protocol for a service to loosen these controls.

reply
upvoteby paulddraper3 hours ago|
parent|
prev|
[-]
> CORS doesn't block the underlying GET/POST request

It does block ALL requests for certain content types.

In the common cross origin case of a JSON API, CSRF beyond CORS is unnecessary.

reply
upvoteby mr_toad6 hours ago|
prev|
next
[-]
> CORS rules only prevent the JavaScript web client from reading the response

To nitpick, it’s the same origin policy that does that.

reply
upvoteby mycall11 hours ago|
prev|
[-]
> CORS rules only prevent the JavaScript web client from reading the response from a remote endpoint

Assuming the web client plays nicely. I commonly bypass CORS for playwright unit/E2E testing.

reply