7

I'm trying to understand why cross-domain requests without credentials are not allowed (by default, without setting up a server to return the Access-Control-Allow-Origin header). When a request has credentials all is pretty straightforward - one can fulfill some malicious actions on your behalf on other sites, for example on Facebook, if you have logged in on it.

For example, the request

xhr = new XMLHttpRequest();
xhr.open('GET', 'http://www.google.com');
xhr.send();

produces the error (I executed it in Chrome's console from this site):

XMLHttpRequest cannot load http://www.google.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://stackoverflow.com' is therefore not allowed access.

So, the server must send an appropriate header (e.g Access-Control-Allow-Origin: * ) to this request can work.

This is just a simple request and no cookies are sent. What's the reason for such a restriction? What security issues might take place if such CORS will be allowed?

without credentials - without cookies: default settings for XMLHTTPRequest is withCredentials = false, so no cookies are sent in the request - link.

Vasily
  • 1,588
  • 17
  • 30
  • 1
    Pretty sure that's not at all what he's asking. I interpreted it as he knows what the policy is, but is trying to understand what it is protecting the client from when no credentials are being sent. – Kevin B Oct 10 '14 at 19:07
  • @KevinB Yes, you're right, I'm trying to understand what risk for client in such requests without any cookie. – Vasily Oct 10 '14 at 19:14
  • 3
    Helpful related (identical?) question on Security.SE: [Why is the Access-Control-Allow-Origin header necessary?](http://security.stackexchange.com/questions/43639/why-is-the-access-control-allow-origin-header-necessary) -- "...what I can't see is what purpose is served by not allowing uncredentialed cross-domain AJAX requests without an Access-Control-Allow-Origin header." – apsillers Oct 10 '14 at 19:14
  • 2
    tldr, it prevents site a.com from accessing site b.com which is only accessible within my private network since a.com and b.com have different host values. If it were instead allowed, a.com would be able to scan my internal network for hosts that may not be protected, such as a router, or a company intranet. – Kevin B Oct 10 '14 at 19:20

1 Answers1

12

I'll go ahead and liberally steal from Security.SE's Why is the Access-Control-Allow-Origin header necessary?

The main concern here is access control based on network topology. Suppose you run a HTTP service on your home network (in fact, you almost certainly do, if your router itself has a Web interface). We'll call this service R, and the only machines connected to your home router can get to the service.

When your browser visits evil.example.com, that site serves your browser a script, telling it to fetch the contents of R and send it back to evil.example.com. This is potentially bad, even without credentials, because it's a violation of the assumption that no one outside your local network can view the services running inside your local network. The same-origin policy stops this from happening. If the same-origin policy only came into play when credentials were involved, it would opens up the possibility of bypassing topology-based protections.

Consider also that some public services allow access based on IP address:

  • the Oxford English Dictionary restricts access to its online entries to IP addresses coming from subscribed universities
  • the United Kingdom restricts access to BBC content to IP address from within the country

In all of the cases listed here, a browser could be used as an unwitting proxy for any site that serves it a script.

Community
  • 1
  • 1
apsillers
  • 101,930
  • 15
  • 206
  • 224