same-origin policy and CORS – what’s the point?

The important thing to note here is that if the user is signed in to a site and the request deletes a post by the user, then the following code will delete the user’s post:

<script src="" />

This is called a CSRF/XSRF attack (cross-site request forgery). This is why most server-side web applications demand a transaction ticket: instead of you have to do

Now the following attack won’t work:

<script src="" />

…because it doesn’t contain the txid parameter. Now, let’s consider what happens if the site could be accessed using XmlHttpRequest. The script running on the user’s browser could behind the user’s back retrieve and parse, extract the txid and then request

Now, if XmlHttpRequest cannot access sites having a different origin, the only way to try to retrieve the txid would be to try to do something like:

<script src="" />

…but it doesn’t help as the result is a HTML page, not a piece of JavaScript code. So, there’s a reason why you can include <script>s from other sites but not access other sites via XmlHttpRequest.

You may be interested in reading this:

This attack worked against Gmail back in the day and allowed you to fetch the user’s mails from JavaScript code running on another site. This all shows that the security model of WWW is very subtle and not well thought of. It has evolved instead of being well-designed.

As for your question: you seem to think that the server is the malicious one. That’s not the case. Using the notations of my answer, is the server that is the target of the attack, and is the site of the attacker. If opens up the possibility to send requests using JSONP or CORS, it is true that it may become vulnerable to the CSRF/XSRF attack I just described. But it does not mean that other sites would become vulnerable to the attack. Similarly, if opens up the possibility to send requests using JSONP or CORS, the attacker’s site just became vulnerable to a CSRF/XSRF attack. Thus, a misinformed server administrator may open up a hole in his own site but it doesn’t affect the security of other sites.

Edit: a valid comment was made. It explained that the following code:

<script src="" />

…sends a GET request, and that should accept only POST or DELETE requests if the request changes state such as deletes something important.

This is true, a well-designed site shouldn’t change state based on any GET request. However, this sends a POST request:

<p>You just won $100! Click below to redeem your prize:</p>
<form action="" method="post">
  <input type="hidden" name="id" value="1" />
  <input type="submit" value="Redeem prize" />

In this case, the code claiming the user won $100 can be embedded into the attacker’s site and it sends a POST request not to the attacker’s site but rather the victim’s site.

Leave a Comment