Hacker Newsnew | comments | show | ask | jobs | submit login

Doesn't it keep a risk of XSS attacks though, since the CORS policy is only disovered AFTER the request is made?

Not really, no. If all it takes to exploit the remote service is to make the request (i.e., you don't need to be able to read the response data to exploit it), you can easily force a request by means other than XHR; an image tag is probably the most straightforward.

Also, strictly speaking, this class of attack is Cross-Site Request Forgery (CSRF), not Cross-Site Scripting (XSS).


The request is still made regardless, your JavaScript just won't be able to access the response without a CORS header set.


The request isn't actually made (at least not your request). The browser sends an OPTIONS request to get the CORS policy and then will block your request if its not allowed.

Edit: My above comment is slightly incorrect. If the request is "simple" it will be made and then you'll be blocked if it doesn't fit the CORS policy. If the request is not deemed "simple" (according to some rules you can look up in the spec) then the OPTIONS flow occurs.


Ah I see. I wondered if it dd some such thing. That's good to know.


Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact