CORS: "Allow All Origins" implemention in major framework

CORS.md

How do I implement "Allow users to request from all origins"?

Major frameworks's implementation is following.

• dojango: use *
  • https://github.com/adamchainz/django-cors-headers/blob/8484b2addc72665770872bebfc9cbaed8d041768/src/corsheaders/middleware.py#L151-L154
• rails/rack: use *
  • https://github.com/cyu/rack-cors/blob/b718a196cfe8daeeffbe5228d6878a28f7a0b6ac/lib/rack/cors/resource.rb#L63-L79
• play: use *
  • https://github.com/playframework/playframework/blob/78bcdb4e1d1fe0a350ab2a56a38649571415383f/web/play-filters-helpers/src/main/scala/play/filters/cors/CORSConfig.scala#L63-L68
• express: use *
  • https://github.com/expressjs/cors/blob/f038e7722838fd83935674aa8c5bf452766741fb/lib/index.js#L41-L46
• laravel: use *
  • https://github.com/fruitcake/php-cors/blob/76d219410b710d9f5b4d52b1febffe57b4cf4f16/src/CorsService.php#L206-L208
• javalin 5+: use *
  • https://github.com/javalin/javalin/blob/c5a6ede221a908a85733c5cf498edc2facde4cf3/javalin/src/main/java/io/javalin/plugin/bundled/CorsPlugin.kt#L36-L38
  • Issue: javalin/javalin#1632

Which is better?

Access-Control-Allow-Origin: * and Access-Control-Allow-Origin: <request's Origin>(without Access-Control-Allow-Credentials: true) are almost equal. (Really?)

📝 Access-Control-Allow-Origin: * disallow to use Access-Control-Allow-Credentials: true because It is defeined by spec.

• https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

Typical Vulnerabilities and SameSite Cookies

Access-Control-Allow-Origin: <request's ORIGIN> + Access-Control-Allow-Credentials: true means that allow to request with credentials from any origin. It will leak user info because the request include user's cookie by Access-Control-Allow-Credentials: true.

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials

This CORS misconfiguration is known as "origin reflection".

• https://portswigger.net/web-security/cors
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CORS%20Misconfiguration/README.md
• https://medium.com/swlh/exploiting-cors-misconfiguration-vulnerabilities-2a16b5b979

However, Modern browser reduce the risk about Access-Control-Allow-Origin: <request's ORIGIN> + Access-Control-Allow-Credentials: true by SameSite cookies.

Because SameSite=Lax is default in Moden browser.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#browser_compatibility

If a cookie value has SameSite=None, cross origin request does include the cookie value. Oppsise, If a cookie value has SameSite=Lax attribute, cross origin request does not include the cookie value.

• cookie(SameSite=None) + cross orign → does send the cookie value
• cookie(SameSite=Lax or Strict)+ cross orign → doest not send the cookie value

As a reuslt, the vulnerable implementation(Access-Control-Allow-Origin: <request's ORIGIN> + Access-Control-Allow-Credentials: true) allow an attacker to steal cookies that has SameSite=None attribute.

Note for SameSite cookie:

• The great SameSite confusion :: jub0bs.com