0

How can the CSRF happen if browsers do not allow cross-origin requests by default?

Here is a brief CSRF overview, which is relevant for the question. CSRF (i.e. cross-site request forgery) is a type of attack. For the attack to happen, the following points should apply:

  1. Back-end (BE) app should use cookies for authentication.

  2. Browser should submit cookies to the BE app with each call automatically.

  3. The victim of the CSRF should at first visit the front-end (FE) part of an app and authenticate into the app (i.e. set the authentication related cookies in the browser).

  4. Then the victim should visit a malicious website.

  5. Now a malicious website is going to run a malicious request to the BE app. The request will be authenticated, because browser will send the respective cookies automatically.

  6. The 5 is the instance of the CSRF.

Now, we can say for sure that the malicious website won't have the same origin as the BE app. So, the browser will block the call from the malicious website to our BE app and no attack will happen.

I am feeling that I am missing something here, because whenever I read about the CSRF no one says that there is the cross-origin requests prevention by browser by default.

So, is it correct that there is no way for the CSRF to happen if a browser prevents the cross-origin requests? And as a result the CSRF is not possible in the world of the modern browsers?

jub0bs
  • 283
  • 2
  • 11
Sasuke Uchiha
  • 101
  • 2
    Of course browsers allow cross-origin requests. They just don't allow cross-origin XHR requests. Simple example: the `` tag. –  Sep 30 '20 at 12:57
  • In general, browsers allow JavaScript to make cross-origin requests, but not to read the responses. This is changing a bit with same site cookies (look it up for plenty more reading) – paj28 Sep 30 '20 at 13:14
  • 1
    Is this what you are looking for? https://security.stackexchange.com/a/157065/21234 – Shurmajee Sep 30 '20 at 13:47
  • @Shurmajee, yes. The linked question is what I was looking for. Thank you very much. (y) – Sasuke Uchiha Sep 30 '20 at 14:10
  • @paj28 An important distinction: `SameSite` only applies to _cross-site_ requests, not to all cross-origin requests. – jub0bs Sep 09 '21 at 15:47
  • 1
    @jub0bs - What's the difference between cross-site and cross-origin? – paj28 Sep 10 '21 at 14:21
  • @paj28 See https://web.dev/same-site-same-origin/ and about `SameSite` specifically, https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/. – jub0bs Sep 10 '21 at 16:59

0 Answers0