4

Anyone in the WebAppSec world is familiar with CORS as a mechanism to specify policy for when javascript is allowed to make API calls to different domains. As WebAssembly ("Wasm" - a binary web language standardized in 2019; webassembly.org, wikipedia/WebAssembly) gains popularity, I'm curious if my CORS:Javascript knowledge transfers over cleanly to CORS:Wasm, or if CORS has different behaviour and "gotchas" with Wasm?

For example, from the Mozilla docs:

  • Cross-Origin Resource Sharing (CORS) mentions javascript a bunch of times, but not Wasm.
  • From the docs, it seems like CORS applies to the browser APIs XMLHttpRequest and Fetch API, and I'm not expert enough to know if those are javascript APIs and I need to go looking in Wasm API docs for the Wasm equivalents, or if those APIs are low-level enough that they are common to JS and Wasm and therefore Wasm inherits exactly the CORS that I know and love.
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Interesting question, +1. One minor nitpick: `'CORS as a mechanism to restrict javascript from making calls to different domains'` - actually, Same Origin Policy (SOP) is what restricts restrict javascript from making calls to different domains. CORS is used to relax SOP, in cases where cross-origin requests are allowed. – mti2935 Feb 25 '21 at 17:05
  • @mti2935 Good nit, thanks. Is this better? `a mechanism to specify policy for when javascript is allowed to make API calls to different domains` ? – Mike Ounsworth Feb 25 '21 at 17:39
  • 1
    That looks better. I'm in the process now of trying to cook up a quick wasm module to do a cross-origin request as a test to see if (a) the request is blocked by SOP (as it should be), then if so, (b) if the request is allowed once a CORS policy is put in place to relax SOP. Stand by... – mti2935 Feb 25 '21 at 17:45
  • @mti2935 Amazing! – Mike Ounsworth Feb 25 '21 at 17:51

1 Answers1

2

It looks like Same-Origin Policy (SOP) applies to web assembly modules. See https://webassembly.org/docs/security/, where it states:

Additionally, each module is subject to the security policies of its embedding. Within a web browser, this includes restrictions on information flow through same-origin policy.

mti2935
  • 19,868
  • 2
  • 45
  • 64