Hamed Momeni Hamed Momeni - 4 months ago 25
Ajax Question

What are the security risks of setting Access-Control-Allow-Origin?

I recently had to set

Access-Control-Allow-Origin
to
*
in order to be able to make cross-subdomain ajax calls.

Now I can't help but feel that I'm putting my environment to security risks.

Please help me if I'm doing it wrong.

Answer

By responding with Access-Control-Allow-Origin: * the requested resource allows sharing with every origin. This basically means that any site can send a XHR request to your site and access the server’s response which would not be the case if you hadn’t implemented this CORS response.

So any site can make a request to your site in behalf of their visitors and process the response of it. If you have something implemented like an authentication or authorization scheme that is based on something that is automatically provided by the browser (cookies, cookie-based sessions, etc.), the requests triggered by the third party sites will use them, too.

This indeed poses a security risk, particularly if you allow resource sharing not just for selected resources but for every resource. In this context you should have a look at When is it safe to enable CORS?.