On 6/2/11 6:41 PM, Margarita Podskrobko wrote:
I have read couple of discussions in this mail list concerning security issues of CORS. AFAIU, the main point of CORS is to delegate security enforcement point from client browser(requestor of resource) to server (possessor of resource).
It's the other way around. It's to delegate the security enforcement to the _browser_. The server responds with the resource and Access-Control-Allow-Origin and the browser uses that information to decide whether to give the data to the origin that asked for it.
The Origin header the browser sends is effectively advisory; clearly anyone can always send an HTTP request to a server with a given Origin header (using telnet to port 80, say!). So the server should not be making any assumptions about what the Origin header really means security-wise.
So my understanding is that only servers which allow requests from all origins or servers which completely forbid cross origin requests are in safe situation.
The client can always send an Origin header claiming the request is same-origin.....
-Boris
