corgrath corgrath - 1 month ago 10
Ajax Question

Does "Access-Control-Allow-Origin" help me against if someone points their domain to my server?

Maybe I misunderstood how to fully implement CORS in my server.

Given this screenshot of a request done via Chrome.

enter image description here

We can see that the we are visiting the site

shakh.photography
, the request URL is a POST ajax request towards
/api/get-videos/
but the response contains a
Access-Control-Allow-Origin
header that mentions a totally different domain.

Even though the webserver respons with a
Access-Control-Allow-Origin
header, it is ignored by the browser. Everything still works.

I thought only setting the
Access-Control-Allow-Origin
was sufficient to only allow requests coming from the specified origin.

What have I missed?

Until it's fixed, this situation is testable by visiting shakh.photography.

Answer

The Same Origin Policy only stops a site from triggering a cross origin Ajax request. This protects against a user's cookies being used by an attacking site to take data from your site using the authority of the user.

CORS allows you to selectively weaken the Same Origin Policy, it isn't used to strengthen it.

We can see that the we are visiting the site shakh.photography, the request URL is a POST ajax request towards /api/get-videos/ but the response contains a Access-Control-Allow-Origin header that mentions a totally different domain.

Even though the webserver respons with a Access-Control-Allow-Origin header, it is ignored by the browser. Everything still works.

Yes. This is normal. The request is from Site A to Site A. None of the cookies or other credentials the user might have to Site B are available to the Site A (the browser sandboxes them from each other). You simply have a server which responds to both URLs with the same data.

A third party could do that, but they couldn't do it for just your API (except via a proxy, which is a different issue, with even fewer security implications). They'd have to make the whole site available under the other hostname, this shouldn't cause any security worries.

If you don't want that, then configure your server so that it uses Virtual Name Hosting and delivers different sets of content based on the Host header in the request.