< Back to JetLib.com

jetlib.sec » Full Disclosure » Pros and cons of 'Access-Control-Allow-Origin' header?

« Expand/Collapse

Full Disclosure

February 22, 2012
Pros and cons of 'Access-Control-Allow-Origin' header?

Posted: February 22nd, 2012, 10:37am PST

Tags:

Posted by David Blanc on Feb 22
Does 'Access-Control-Allow-Origin' header provide any benefits in
defending against cross site scripting attacks?

Doesn't 'Access-Control-Allow-Origin' header make any XSS flaw
trivially exploitable? For example, if an attacker finds an XSS flaw
in a web application, he can now inject a JavaScript with
XMLHttpRequest that sends a request to attacker's web server which
serves resources with the HTTP header...

← Re: RSA and random number generation ZDI-12-032 : Oracle Java Runtime Envi... →