Collaborate Disseminate
I have been using lots of various APIs in my frontend lately and they all have to be properly configured with CORS and the browser always do extra OPTIONS request that only make debugging harder.
I was wondering if there could be a way of … Continue reading Is prohibiting cookies a viable CORS alternative?
I was testing an internal application recently, that had fully permissive CORS, i.e. it echoes the Origin header into Access-Control-Allow-Origin, has Access-Control-Allow-Credentials: true and handles OPTIONS properly. All the pieces were… Continue reading Do browsers have a defence against CORS from internet to intranet sites?
I have a site with Access-Control-Allow-Credentials: true and it also allows me to use any origin I want, but Cookie flagged SameSite=Lax. I want to perform CSRF attack, but I need to bypass Lax somehow. Is there’s a way to do it?
I have a pretty standard web app (react client, node server), https-enabled.
I want to add the ability for the web app to access a device on the local LAN. The device has REST APIs and I can install a certificate in it to enable https.
He… Continue reading Certificate structure for accessing a local device from a web app
If I have understood Cross-Site WebSocket Hijacking (CSWSH) attack correctly [1][2][3][4], the attack relies on two things (examples are from the first reference):
the browser sending the cookies set by the victim domain (www.some-trading… Continue reading Why is the browser not sending cookies with cross-domain WebSocket handshake request?
I have created a page to attack a CSRF unprotected endpoint.
This endpoint accepts only JSON as payload, so I have used fetch with credentials: "include" properties. The page run locally using file:// protocol.
<html>
<… Continue reading "CORS Error" but Chrome sent the request anyway
It is common to say that CORS headers protect against CSRF, so that if you visit a malicious website, it cannot make a request to your web application because the referer header (the URL of the malicious website) wouldn’t be allowed by the… Continue reading Are CORS headers useless?
I understand if you are cross-communicating with origin A, then if origin A has no Access-Control-Allow-Credentials in the response, you will never be able to reuse Cookies obtained from origin A response.
But what if you got a cookie in t… Continue reading Does CORS Access-Control-Allow-Credentials apply to non-origin/third-party cookies or as well?
I have a scenario where my Nextjs frontend application is running in the cloud with a domain & SSL and I have a nodejs backend.
When I make an API call to the backend nodejs server, I get a CORS error stating a "https to http comm… Continue reading https to http communication error while frontend call to backend
Section 3.2.3 of the Fetch standard provides some guidance about how servers can/should handle preflight requests.
A successful HTTP response, i.e., one where the server developer intends to share it, to a CORS request can use any status,… Continue reading Are timing-based side-channel attacks against the server during CORS preflight a legitimate concern?