Collaborate Disseminate
How do I determine the current CORS "state" in different browsers? I have for example a case where two different Access-Control-Allow-Origin headers are set, and I want to know which one applies now.
Usually I read through the sp… Continue reading how to determine CORS Browser state
With CORS Proxy we can bypass CORS restriction using CORS Proxy. Which can strip away X-Frame-Options and Same Origin restriction. This can impact Account compromise or click jacking.
Is there a way to protect both origin and front from CO… Continue reading How to protect from CORS Proxy
I understand that servers might want to prevent bad origins somehow stealing certain data and crafting a request to request some authorized data from a different domain. Such as using "Authorization" header etc., what is the use … Continue reading What is the use of Access-Control-Allow-Headers for unauthenticated endpoints?
I have a mostly public API with some parts of it "credentialed" behind cookies, similarly to e.g. how WordPress’ REST API works. (In our case, it’s a GraphQL API but that shouldn’t matter.)
I want to enable CORS for it and am con… Continue reading Difference between `Access-Control-Allow-Origin: *` (wildcard) and specific origins
I am developing webpage in which I am embedding some Youtube video’s. On my localhost environment I get the following errors:
"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://googl… Continue reading Block Cross-Origin requests for Youtube embedded video (with js api)
After authenticated by Google, a client browser attaches the idToken from Google to an application API server. Assuming google-auth-library auto-refresh an expired token, it now needs to send it back in header to client browser so new requ… Continue reading How risky it is if a server allows client Javascript access to say an access token in header?
I am trying to identify if issues found by a security tool are in fact false positive or actual issues. I am having a hard time understanding the issue in general as I am new to security and what I can do to fix the issues. Below are the t… Continue reading Identifying false positives while running a security tool program [closed]
Please note: although I mention Spring Boot (and by proxy, Java) I believe this is a pure HTTP/web development question at heart, and as such, can be answered by anyone with CORS-configuration experience and zero Java experience!
I am con… Continue reading CORS configuration for service with single browser client
I currently have two domains that I use for my app:
Ex: backend-app.example.com and api.example.com
In both domains the access-control-allow-origin header is *.
This configuration is this way because the backend-app.example.com is used thr… Continue reading Enable or Disable CORS for Domains and API
I am questioning myself whether is it meaningful or not for a Single Page Application (e.g. Angular) to expose CORS headers or not.
Motivation: I am learning OWASP ZAP and it found that my Angular app exposes no CORS header.
Question
As th… Continue reading Should a static Single Page Application expose CORS?