Collaborate Disseminate
From Cross-Origin Resource Sharing (CORS) – HTTP | MDN:
CORS failures result in errors but for security reasons, specifics about the error are not available to JavaScript. All the code knows is that an error occurred. The only way to dete… Continue reading What are the reasons for CORS failure errors to not be available to JS?
To help developers with integrating with our SAML/OAuth/OIDC Identity Provider on their local dev environments, I’m thinking about configuring a demo client/app in our production IdP that has localhost configured as valid redirect url (OAu… Continue reading Risks with having a "localhost" service configured on a production SAML/OAuth/OIDC Identity Provider
I have been using lots of various APIs in my frontend lately and they all have to be properly configured with CORS and the browser always do extra OPTIONS request that only make debugging harder.
I was wondering if there could be a way of … Continue reading Is prohibiting cookies a viable CORS alternative?
I was testing an internal application recently, that had fully permissive CORS, i.e. it echoes the Origin header into Access-Control-Allow-Origin, has Access-Control-Allow-Credentials: true and handles OPTIONS properly. All the pieces were… Continue reading Do browsers have a defence against CORS from internet to intranet sites?
I have a site with Access-Control-Allow-Credentials: true and it also allows me to use any origin I want, but Cookie flagged SameSite=Lax. I want to perform CSRF attack, but I need to bypass Lax somehow. Is there’s a way to do it?
I have a pretty standard web app (react client, node server), https-enabled.
I want to add the ability for the web app to access a device on the local LAN. The device has REST APIs and I can install a certificate in it to enable https.
He… Continue reading Certificate structure for accessing a local device from a web app
If I have understood Cross-Site WebSocket Hijacking (CSWSH) attack correctly [1][2][3][4], the attack relies on two things (examples are from the first reference):
the browser sending the cookies set by the victim domain (www.some-trading… Continue reading Why is the browser not sending cookies with cross-domain WebSocket handshake request?
I have created a page to attack a CSRF unprotected endpoint.
This endpoint accepts only JSON as payload, so I have used fetch with credentials: "include" properties. The page run locally using file:// protocol.
<html>
<… Continue reading "CORS Error" but Chrome sent the request anyway
It is common to say that CORS headers protect against CSRF, so that if you visit a malicious website, it cannot make a request to your web application because the referer header (the URL of the malicious website) wouldn’t be allowed by the… Continue reading Are CORS headers useless?
I understand if you are cross-communicating with origin A, then if origin A has no Access-Control-Allow-Credentials in the response, you will never be able to reuse Cookies obtained from origin A response.
But what if you got a cookie in t… Continue reading Does CORS Access-Control-Allow-Credentials apply to non-origin/third-party cookies or as well?