What is CORS?

Table Of Contents:

  • CORS History
  • CORS preflight request
  • CORS actual request
  • Wildcards in CORS
  • CORS vulnerability
  • Conclusion


CORS History

CORS preflight request

OPTIONS /auth/signin HTTP/1.1
Host: api-emailpassword.demo.supertokens.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type,fdi-version,rid
Origin: https://emailpassword.demo.supertokens.com
  • Access-Control-Request-Method - The method of the request being made by our operation. This can be any of the HTTP request methods, including GET, POST, PUT, DELETE, and CONNECT.
  • Access-Control-Request-Headers - A comma-separated list of HTTP headers that would be used in the actual request.
  • Origin - Where the request is coming from. For us, that's https://emailpassword.demo.supertokens.com
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://emailpassword.demo.supertokens.com/
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
Access-Control-Allow-Headers: content-type,rid,fdi-version,anti-csrf
  • Access-Control-Allow-Credentials - The server telling us whether the actual request can include cookies in it, or that the response of the actual request can set-cookies. In our case, cookies refer to the session tokens of the user, which act as the credentials of the user once they're signed in.
  • Access-Control-Allow-Methods - A comma-separated list of HTTP methods that the API domain allows for cross-origin requests
  • Access-Control-Allow-Headers - A comma-separated list of HTTP headers that the API domain allows for cross-origin requests

CORS actual request

POST /auth/signin HTTP/1.1
Host: http://api-emailpassword.demo.supertokens.com/
content-type: application/json
fdi-version: 1.15
rid: emailpassword
Content-Length: 92
Origin: https://emailpassword.demo.supertokens.com/
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://emailpassword.demo.supertokens.com/
Access-Control-Allow-Credentials: true
front-token: ...
Access-Control-Expose-Headers: front-token, id-refresh-token
Set-Cookie: ...

Wildcards in CORS

CORS vulnerability

Mishandling origin whitelist

One of the easiest mistakes to make when implementing CORS is mishandling the origin whitelist. When whitelisting origins, it’s often easy to do simple matches with URL prefixes or suffixes, or using regular expressions. However, this can lead to quite a few issues.

Requests with null origin

Another common misconfiguration is whitelisting origins with the value null. Browsers might send the value null in the origin header in situations such as:

  • Sandboxed cross-origin requests
<iframe src="data:text/html" sandbox="allow-scripts allow-top-navigation allow-forms allow-same-origin">
function reqlistener() {
var req = new XMLHttpRequest();
req.onload = reqlistener;
req.open("GET", 'vulnerable.com/sensitive', true);
req.withCredentials = true;





Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store