0

Is it considered as secure for an application to set a header access-control-allow-origin: * if during the normal usage of the application, the client credentials are injected in the headers by the JS code? E.g.:

GET /application/secretStuff

X-Authorization-Key: aaa
X-Authorization-Secret: bbbb

This means that if an external malicious code tries to make a call to this URL it will be able to see the response, but this will be an authorization error anyway.

I understand there is at least one important drawback with this, namely the increase of the attack surface. But I'm looking to understand if this approach has other major problems.

Anders
  • 64,406
  • 24
  • 178
  • 215
christophetd
  • 217
  • 1
  • 12
  • CORS has very little to do with non-defense-in-depth security; hackers don't typically obey the same-origin policy anyway... – dandavis Apr 11 '17 at 19:31

2 Answers2

1

This means that if an external malicious code tries to make a call to this URL it will be able to see the response, but this will be an authorization error anyway.

Yeah, that is correct. To be able to get anything of value out of it, the attacker needs to get the credentials. If these are stored in local storage, in JS variables or whatever they will be protected by the same origin policy that the browser enforces.

So there is no major problem with your CORS policy in of itself. But there are many related issues that you need to think about: Is the authentication scheme good? I assume third parties are supposed to use the API since you want to enable cross origin requests, so how do the third parties get the secrets? And so on.

Anders
  • 64,406
  • 24
  • 178
  • 215
1

Cross origin requests are only dangerous when your browser will display something different than the attacker's browser. This is the case if the web site is only accessible from your location and not the attacker's, or when you are logged in into some web site. If you are logged in, forged requests carry your cookies for that web site, where normal requests from the attacker don't. If the site you use does not have cookies or any other form of implicit authentication, attackers cannot gain anything from cross-origin requests.

So it is not really the presence of headers but the absence of cookies that would make this application secure against cross-origin requests.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102