Reputation: 1144
CORS Web request through a proxy is security breach?
I see that we can't make direct web request to the web server through another domain when CORS is not enabled.
However there are multiple way to break this security (ex. using proxies) and these tweaks works like a charm.
Recently I had a similar issue, I wanted to use a web service which I do not own. Also they have disabled the cross domain requests but I followed this article and using this it allowed me to consume the service!
We can use the service which was developed and hosted by someone for their personal domain use (by disabling CORS). Isn't this a serious security breach?
How can we make sure that If I disable CORS on my REST INTERFACE no one should be able to tweak and use it?
Upvotes: 2
Views: 573
Answers (1)
Reputation: 133
CORS isn't intended to prevent people from calling the API.
CORS is intended to prevent people from attaching credentials which may be used to attack the service automatically.
If I make a call to google.com/secret-service, then normally my google.com auth cookie will automatically be attached, and the service will be called with my credentials.
If I make a call to proxy.com/secret-service, then my google.com cookie isn't attached. It's now up to the application to authenticate and demonstrate that it's actually allowed to call google.com/secret-service.
Upvotes: 0
Related Questions
- Understanding AJAX CORS and security considerations
- Is CORS a secure way to do cross-domain AJAX requests?
- Proxy Servers/Agents (CORS issue)
- CORS error when fetching api from its own domain
- cross server requests using javascript
- Why do browser APIs restrict cross-domain requests?
- Understanding CORS security: what's the use of server allowing browser cross-domain access?
- Cross domain request initiating from server side
- Is Access-Control-Allow-Origin: * unsafe?
- Domain-based "authentication" of a CORS request