0

I know there are lots of posts on the same origin policy, but I specifically want to understand why it can't be done in this simpler way.

If evil.com makes sends a request to bank.com, browsers will not add cookies (so unauthenticated). Now you could have cross origin requests with no security issues?

curiousgeorge
  • 121
  • 2
  • 1
    Cookies are not the only issue: `evil.com` could run a script that reads and writes data on `bank.com`, like changing the destination of a transfer to another account. – ThoriumBR Jan 22 '21 at 20:43
  • But these would be unauthenticated requests which bank.com would not accept – curiousgeorge Jan 22 '21 at 20:44
  • What you describe are [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite), i.e. it already exists. And major recent browsers exhibit already the behavior you describe [by default](https://www.chromestatus.com/feature/5088147346030592). – Steffen Ullrich Jan 22 '21 at 21:32
  • 2
    Does this answer your question? [Doesn't Samesite cookie and Sameorigin policy effectively does the same job?](https://security.stackexchange.com/questions/226007/doesnt-samesite-cookie-and-sameorigin-policy-effectively-does-the-same-job), [Do I still need CSRF protection when SameSite is set to Lax?](https://security.stackexchange.com/questions/234386/do-i-still-need-csrf-protection-when-samesite-is-set-to-lax). – Steffen Ullrich Jan 22 '21 at 21:37
  • See https://security.stackexchange.com/questions/221658/what-would-happen-if-some-random-webpage-made-an-ajax-request-for-http-127-0-0 for an example of an attack that does not involve cookies, which SOP prevents. – mti2935 Jan 22 '21 at 22:18
  • @mti2935 this seems again like a case of not sending cross origin cookies – curiousgeorge Jan 23 '21 at 17:56
  • @curiousgeorge No. The private document that this attack is targeting (at http://127.0.0.1/private.txt) is not protected using cookie (or session) based authentication. The document is protected by virtue of the fact that it resides on the localhost. Without SOP, malicious javascript served by evil.com could read the document from http://127.0.0.1/private.txt and send it back to evil.com. SOP prevents this. But, blocking cross-origin cookies (instead of SOP) would not prevent the attack, because the document is not protected using cookie or session based authentication. – mti2935 Jan 23 '21 at 19:30

0 Answers0