Monday, May 20, 2024
Homepage · html
 Popular · Latest · Hot · Upcoming
34
rated 0 times [  39] [ 5]  / answers: 1 / hits: 21448  / 11 Years ago, fri, october 11, 2013, 12:00:00

It is said that instead of adding all domains to CORS, one should only add a set of domains.
Yet it is sometimes not trivial to add a set of domains. E.g. if I want to publicly expose an API then for every domain that wants to make a call to that API I would need to be contacted to add that domain to the list of allowed domains.



I'd like to make a conscious trade off decision between security implications and less work.



The only security issues I see are DoS attacks and CSRF attacks.
CSRF attacks can already be achieved with IMG elements and FORM elements.
DoS attacks related to CORS can be overcome by blocking requests upon the referrer header.



Am I missing security implications?






===Edit===




  • It is assumed that the Access-Control-Allow-Credentials Header is not set

  • I know how to add a given list of domains CORS access and I'm therefore only interested in the security implications of adding all domains CORS access


More From » html
 Answers
28

Except of csauve's one, none of the replies answer my original question.



To answer my question; It seems that as long as Access-Control-Allow-Credentials is not set then there is no security problem.



(Which makes me wonder why the spec requires preflight when Access-Control-Allow-Credentials is not set?)


[#75054] Thursday, October 10, 2013, 11 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
dominics
Add To Favorites
Follow
Total Points: 424
Total Questions: 99
Total Answers: 107
Location: South Korea
Member since Fri, Sep 11, 2020
4 Years ago
dominics questions
Wed, Apr 6, 22, 00:00, 2 Years ago
Mon, Feb 7, 22, 00:00, 2 Years ago
Thu, Jan 13, 22, 00:00, 2 Years ago
Wed, Jan 20, 21, 00:00, 3 Years ago
Fri, Sep 18, 20, 00:00, 4 Years ago
View All
;