Enabling Cross-Origin Resource Sharing (CORS) is security-sensitive. For example, it has led in the past to the following vulnerabilities:
Applications that enable CORS will effectively relax the same-origin policy in browsers, which is in place to prevent AJAX requests to hosts other than the one showing in the browser address bar. Being too permissive, CORS can potentially allow an attacker to gain access to sensitive information.
This rule flags code that enables CORS or specifies any HTTP response headers associated with CORS. The goal is to guide security code reviews.
Access-Control-Allow-Origin: *
include sensitive content. Access-Control-Allow-Origin
headers are checked against a whitelist. Access-Control-Allow-Origin
header should be set only on specific URLs that require access from other domains. Don't enable
the header on the entire domain. Origin
header blindly without validation as it could be spoofed by an attacker. Use a whitelist to check that
the Origin
domain (including protocol) is allowed before returning it back in the Access-Control-Allow-Origin
header.
Access-Control-Allow-Origin: *
only if your application absolutely requires it, for example in the case of an open/public API.
For such endpoints, make sure that there is no sensitive content or information included in the response. // === Java Servlet === @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { resp.setHeader("Content-Type", "text/plain; charset=utf-8"); resp.setHeader("Access-Control-Allow-Origin", "http://localhost:8080"); // Questionable resp.setHeader("Access-Control-Allow-Credentials", "true"); // Questionable resp.setHeader("Access-Control-Allow-Methods", "GET"); // Questionable resp.getWriter().write("response"); }
// === Spring MVC Controller annotation === @CrossOrigin(origins = "http://domain1.com") // Questionable @RequestMapping("") public class TestController { public String home(ModelMap model) { model.addAttribute("message", "ok "); return "view"; } @CrossOrigin(origins = "http://domain2.com") // Questionable @RequestMapping(value = "/test1") public ResponseEntity<String> test1() { return ResponseEntity.ok().body("ok"); } }