mitsest mitsest - 28 days ago 4x
iOS Question

Cordova & CORS (iOS)

I recently got my hands on an relatively old cordova app for iOS (iphones), which was built around one year ago, in order to debug it.

The app queries an API from a server. This server is built using Laravel and makes use of laravel-cors.

For a peculiar reason, the developers of this app have set up CORS server-side to accept requests, only if the Origin header is missing.

I was told that the app was working just fine for the past year.
While debugging it, I noticed that the iOS browser adds origin => 'file://' to its headers, when cordova app uses $.ajax for doing requests

And now for my questions

Are you aware of such a change on newer iOS verions?
I suppose I can't do anything client-side in order to bypass it?

How safe is to add "file://" as an accepted origin, server-side?

Thanks a ton!


The reason the server accepts null-Origin isn't "peculiar" -- that is how CORS is defined to work. It is intended to protect against browser-based XSS attacks -- browsers send the Origin header automatically so the server can accept or reject the request based on which domain(s) they allow javascript calls from. It is intended as a safe standards-based successor to the JSONP hack to allow cross-origin server requests, but in a controlled way. By default, browsers require and allow only same-origin XHRs and other similar requests (full list).

CORs is undefined for non-browser clients, since non-browser clients can set whatever Origin they want to anyway (e.g. curl), so in those cases it makes sense to just leave off the Origin header completely.

To answer part of your question, it is not (very) safe to add file:// as an accepted origin server-side. The reason is that an attacker wishing to bypass CORS protections could trick a user into downloading a web page to their filesystem and then executing it in their browser -- thus bypassing any intended Origin restrictions since file:// is in the allowed list. There may also be other exploits, found and unfound, that could take advantage of accepting a file:// origin.

You'll have to evaluate the risks of adding this based on your own project requirements.