DEV Community

Understanding CORS

Martin Splitt on November 12, 2019

This is a cross-posting from my blog TL;DR The browser enforces the Same-origin policy to avoid getting responses from websites that d...
Collapse
 
malvoz profile image
Robert Linder

In the "Allowing multiple origins" example, Vary: Origin should be set in the response to avoid incorrect content being served (if content may differ depending on the requesting origin). See fetch.spec.whatwg.org/#cors-protoc...

Collapse
 
g33konaut profile image
Martin Splitt

Good point, thanks for your input! Added it to the example in that section :)

Collapse
 
iamandrewluca profile image
Andrei L • Edited

Do we need CSRF protection if CORS is disabled (now allowed from other domains) ?
For me it seems logic that is no need for CSRF protection if CORS is disabled, but couldn't find any exact answer.

Collapse
 
g33konaut profile image
Martin Splitt

Note that without CORS headers the request is still happening, you just don't have access to the response. Unless you have some server-side mechanism to detect requests from other origins, you could still run the risk of CSRF. I'm with @theincorrigible1 that you should protect against CSRF on any inputs that can change state.

Here's a potential example:

  • Say your router is at 192.168.0.1 and there's a form to change the admin password with a POST request, e.g. POST to 192.168.0.1/settings with a body like "password=abc123".
  • If some website now makes such a request, it won't see the response from the router (that's what CORS prevents), but the request would happen and possibly change your router password..
Collapse
 
iamandrewluca profile image
Andrei L

Now I get it.
But can the attacker make a simple request, and get a CSRF token,
then make second request with that token included?

Collapse
 
mburszley profile image
Maximilian Burszley

You should protect against CSRF on any inputs that can change state imo.

Collapse
 
iamandrewluca profile image
Andrei L
  • CSRF is Cross-site request forgery
  • CORS is Cross-origin resource sharing

If no one from another origin is able to make requests to your site (CORS disabled),
then CSRF is redundant imo.

Thread Thread
 
mburszley profile image
Maximilian Burszley

But that's not what CORS does. Re-read the warning in the article.

Collapse
 
richardeschloss profile image
Richard Schloss • Edited

Thanks for writing this. Bookmarked.