How do I implement "Allow users to request from all origins"?
Major frameworks's implementation is following.
- dojango: use
*
- rails/rack: use
*
- play: use
*
- express: use
*
- laravel: use
*
- javalin 5+: use
*
Access-Control-Allow-Origin: *
and Access-Control-Allow-Origin: <request's Origin>
(without Access-Control-Allow-Credentials: true
) are almost equal. (Really?)
📝 Access-Control-Allow-Origin: *
disallow to use Access-Control-Allow-Credentials: true
because It is defeined by spec.
Access-Control-Allow-Origin: <request's ORIGIN>
+ Access-Control-Allow-Credentials: true
means that allow to request with credentials from any origin.
It will leak user info because the request include user's cookie by Access-Control-Allow-Credentials: true
.
This CORS misconfiguration is known as "origin reflection".
- https://portswigger.net/web-security/cors
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CORS%20Misconfiguration/README.md
- https://medium.com/swlh/exploiting-cors-misconfiguration-vulnerabilities-2a16b5b979
However, Modern browser reduce the risk about Access-Control-Allow-Origin: <request's ORIGIN>
+ Access-Control-Allow-Credentials: true
by SameSite cookies.
Because SameSite=Lax
is default in Moden browser.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#browser_compatibility
If a cookie value has SameSite=None
, cross origin request does include the cookie value.
Oppsise, If a cookie value has SameSite=Lax
attribute, cross origin request does not include the cookie value.
- cookie(SameSite=None) + cross orign → does send the cookie value
- cookie(SameSite=Lax or Strict)+ cross orign → doest not send the cookie value
As a reuslt, the vulnerable implementation(Access-Control-Allow-Origin: <request's ORIGIN>
+ Access-Control-Allow-Credentials: true
) allow an attacker to steal cookies that has SameSite=None
attribute.
Note for SameSite cookie: