Cross-Origin 101
SOP
An origin consists of the protocol, host, and port (e.g., http://www.example:8080.com), and a cross-origin or cross-site request occurs when an origin requests resources from another origin. Browsers enforce the Same-Origin Policy (SOP) to prevent one origin from accessing another origin's resources by allowing resources to load on the page but blocking JavaScript from reading the response.
SOP's is similar to HttpOnly cookie flag which prevents JavaScript from accessing its value, but allows the browser to send it with HTTP requests.
CORS
Cross-Origin Resource Sharing (CORS) allows cross-origin access based on an allowlist; if CORS is not defined, the browser blocks JavaScript from accessing the response by default. However, the request is still sent, and the response can be viewed (Figure 1).
Requests
CORS instructs a browser, via headers, on which origins may access server resources and how they can be accessed, loosening SOP restrictions. Before sending the actual cross-origin request, the browser makes a preflight request using the OPTIONS HTTP method to check if the requesting domain is permitted to perform the requested action.
Some cross-origin requests, known as simple requests, do not trigger a preflight, such as standard GET, HEAD, and POST requests. However, requests using other methods, custom HTTP headers, or POST requests with nonstandard Content-Type require a preflight request.
Responses
The Access-Control-Allow-Credentials header does not have a false value. Servers must omit this header if they don't want to transfer credentials. It does not bypass the SameSite cookie flag.
For how to test CORS misconfigurations see here.
SameSite Cookies
Find more about the SameSite flag here.
Last updated