10

By default, Amazon S3 blocks cross-origin requests. However, it allows users the ability to set up per-bucket CORS policies. It offers fairly elaborate controls for which domains and methods the user wants to enable.

To me, such conservative defaults and fine-grained settings suggest that there is some reason that I might not want to let all of my buckets respond with Access-Control-Allow-Origin: *, but for the life of me I can't think of a single way it could be abused.

S3 already provides a fairly elaborate ACL policy, and users cannot authenticate via cookies (as far as I know), so the problem doesn't seem to be people getting to information they shouldn't be able to get to.

S3 also provides an entirely separate way to block access to certain domains entirely, including for plain old image tags, so it doesn't seem to be an issue of hotlinking.

Is there any risk at all to a super-open CORS policy?

Anders
  • 64,406
  • 24
  • 178
  • 215
user2719333
  • 101
  • 1
  • 3
  • Cookies would be irrelevant anyway. When you use the 'Access-Control-Allow-Origin: *' wildcard, 'Access-Control-Allow-Credentials' is not allowed. This is typically implemented in the browser by just ignoring the credentials header. Just an aside. – user18519 May 30 '17 at 12:25

2 Answers2

2

CORS is designed to control browser behavior. By default, a web browser can only fetch content from an AWS S3 bucket via a direct link, i.e. navigating to the URL.

With the correct CORS settings you can allow browsers visiting other domains to fetch these file via AJAX. A super open CORS policy will only let any website fetch your files via AJAX (possibly without the user's knowledge). A "closed" CORS policy will not allow you to hide anything you have in the S3 bucket, it is not designed to.

The risk part really depends on your exact use-case. Let's say you store public articles on S3 and you only want your website to be able to fetch them in the browser and display them. A super-open policy, in this case, will make it trivial for others to copy your site without needing to scrape your documents because you will gladly serve it for them as well.

Generally, I would say a super-open policy for S3 is not a problem.

Daniel Szpisjak
  • 1,825
  • 10
  • 19
1

If you use amazon web service only for handling unprotected public contents like storing profile images or something else then opening cors policy shouldn't pose any thread but if you are using it for handling some sensitive information then you should block cors request.

Sometimes it does happen that website allow cors but they put some sensitive information like csrf token etc which can be use by attacker in malicious intend.

There are numerous cases on miss-implementation of cors policy leading attacker to steal sensitive data,token etc. There are lot of hackerone reports about such attack.

https://hackerone.com/reports/163491

http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/

mohammad obaid
  • 156
  • 2