Does 'Access-Control-Allow-Origin' header provide any benefits in defending against cross site scripting attacks?
Doesn't 'Access-Control-Allow-Origin' header make any XSS flaw trivially exploitable? For example, if an attacker finds an XSS flaw in a web application, he can now inject a JavaScript with XMLHttpRequest that sends a request to attacker's web server which serves resources with the HTTP header "Access-Control-Allow-Origin: *". The browser would see this header and fetch the resource from the attacker's web server. Isn't the web a safer place without this header? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
