Enabling Cross-Origin Resource Sharing (CORS) is security-sensitive. For example, it has led in the past to the following vulnerabilities:

Applications that enable CORS will effectively relax the same-origin policy in browsers, which is in place to prevent AJAX requests to hosts other than the one showing in the browser address bar. Being too permissive, CORS can potentially allow an attacker to gain access to sensitive information.

This rule flags code that enables CORS or specifies any HTTP response headers associated with CORS. The goal is to guide security code reviews.

Ask Yourself Whether

Recommended Secure Coding Practices

Sensitive Code Example

// === Java Servlet ===
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
  resp.setHeader("Content-Type", "text/plain; charset=utf-8");
  resp.setHeader("Access-Control-Allow-Origin", "http://localhost:8080"); // Questionable
  resp.setHeader("Access-Control-Allow-Credentials", "true"); // Questionable
  resp.setHeader("Access-Control-Allow-Methods", "GET"); // Questionable
  resp.getWriter().write("response");
}
// === Spring MVC Controller annotation ===
@CrossOrigin(origins = "http://domain1.com") // Questionable
@RequestMapping("")
public class TestController {
    public String home(ModelMap model) {
        model.addAttribute("message", "ok ");
        return "view";
    }

    @CrossOrigin(origins = "http://domain2.com") // Questionable
    @RequestMapping(value = "/test1")
    public ResponseEntity<String> test1() {
        return ResponseEntity.ok().body("ok");
    }
}

See