Ask HN: Has CORS Solved Anything?

12 points by 02020202 ↗ HN
Personally I see it only as something that needs to be implemented on the server so the browser doesn't error out and the user won't freak out. Beside that it's just like a lock on a door... in a house... with no walls.... in the middle of a desert... on mars.

4 comments

[ 4.4 ms ] story [ 19.6 ms ] thread
It's a necessity that when implemented improperly leaves a sizeable security hole.

I recently got a bug bounty for finding a CORS vulnerability and showing a proof of concept phishing site that uses all of the resources from the genuine origin. The site was accepting a wildcard origin whereas it should've used a whitelist.

All I have to do is put a proxy in front of your API and strip all your headers off and send responses anywhere I like. Given that, how can CORS be "security"? It's totally insecure.
The point here is that if you put a proxy in front of your API, on your own infrastructure, _you are no longer in origin scope_ and cookies will not be sent along with the request.
It is CORS that restricts running foreign javascripts in your page. Clearly a win