-2

I looked into this stack overflow answer to learn about CORS preflight requests. According to this answer, it is possible to do CSRF attacks when CORS is not there.

But looking at the requirements for "simple" requests that don't require preflights, I see that POST is still allowed. That can change state and delete data just like a DELETE!

That's true! CORS does not protect your site from CSRF attacks. Then again, without CORS you are also not protected from CSRF attacks. The purpose of preflight requests is just to limit your CSRF exposure to what already existed in the pre-CORS world.

But, I cannot think of a way how CSRF attack is possible, if browsers follow the Same Origin Policy. If a malicious site tried to access another site , the browser will simply prevent it, because the origin of the request is different.

Can someone explain how CSRF attack is possible, if CORS was not there?

Lahiru Chandima
  • 16,832
  • 14
  • 78
  • 137

1 Answers1

1

Same-origin applies to things like AJAX requests, but that's not the only way a CSRF attack can be triggered.

As an example:

<form id="evilForm" method="post" action="http://example.com/delete_user.php">
    <input type="hidden" name="user_id" value="12345">
</form>

<script>
document.getElementById('evilForm').submit();
</script>
ceejayoz
  • 165,698
  • 38
  • 268
  • 341
  • Thanks for the answer. Can you please explain why same origin policy only applies to AJAX requests, while an attacker can easily do something like in your example? My initial understanding was that the same origin policy is there for prevent CSRF. – Lahiru Chandima Aug 09 '18 at 11:44
  • Same-origin policy is more concerned with the client being able to *read* responses, not make requests. In the case of a `
    ` post, the response isn't being read by anything client-side.
     – ceejayoz Aug 09 '18 at 12:55