Having a permissive Cross-Origin Resource Sharing policy is security-sensitive. It has led in the past to the following vulnerabilities:
Same origin policy in browsers prevents, by default and for security-reasons, a javascript frontend to perform a cross-origin HTTP request to a resource that has a different origin (domain, protocol, or port) from its own. The requested target can append additional HTTP headers in response, called CORS, that act like directives for the browser and change the access control policy / relax the same origin policy.
Access-Control-Allow-Origin: untrustedwebsite.com. Access-Control-Allow-Origin: * origin header. There is a risk if you answered yes to any of those questions.
Access-Control-Allow-Origin header should be set only for a trusted origin and for specific resources. Access-Control-Allow-Origin header. Prefer whitelisting domains over blacklisting or
allowing any domain (do not use * wildcard nor blindly return the Origin header content without any checks). Django:
CORS_ORIGIN_ALLOW_ALL = True # Sensitive
Flask:
from flask import Flask
from flask_cors import CORS
app = Flask(__name__)
CORS(app, resources={r"/*": {"origins": "*", "send_wildcard": "True"}}) # Sensitive
User-controlled origin:
origin = request.headers['ORIGIN'] resp = Response() resp.headers['Access-Control-Allow-Origin'] = origin # Sensitive
Django:
CORS_ORIGIN_ALLOW_ALL = False # Compliant
Flask:
from flask import Flask
from flask_cors import CORS
app = Flask(__name__)
CORS(app, resources={r"/*": {"origins": "*", "send_wildcard": "False"}}) # Compliant
User-controlled origin validated with an allow-list:
origin = request.headers['ORIGIN'] resp = Response() if origin in TRUSTED_ORIGINS: resp.headers['Access-Control-Allow-Origin'] = origin