Does the same site cookie policy potentially change anything for CORS

According to the new same-site cookie policy (once implemented across all browsers) , a third party call from another page would not send along the cookies by default, unless the third party explicitly indicates that by setting appropriate cookie metadata.

As per my understanding, this would help with CSRF prevention. Does it cover all cases for CSRF ? Can this policy obsolete the same-origin policy since it seems to solve the same problems, or does the same origin policy cover other use cases? Does this potentially mean that we wouldn’t need CORS setup on the servers anymore?

Cross-Domain Request is a CSRF Attack? (CORS)

CORS is a HTTP Suite header that “relax” the SOP. One of the CORS misconfigurations is about to reflect without reg exp the “Origin” client header into “ACAO” response header. If it happens with “ACAC:true” every cross-domain HTTP request is allowed.

If an attacker induces a victim to visit with another tab of the browser, a malicious web server with a Javascript CORS exploit; the browser triggered by exploit does a HTTP request to a vulnerable webpage and sends the output to a web server controlled by the attacker.

It happens because CORS has a misconfiguration and because the vulnerable page doesn’t have a CSRF Token.

Was this Cross-Domain HTTP request essentially a CSRF attack? If yes, it happens because there is a CORS misconfiguration and there isn’t the CSRF Token? What happens if it has a Anti-XSRF Token?

I read that CORS and SOP can’t block a CSRF attack, because the policy prevents only to access to the response on the request, but the HTTP request works anyway.

If CORS and SOP can’t block a CSRF attack, the CSRF attack could work also if the web server target is not vulnerable a CORS misconfiguration?

Is it possible to send a POST CORS request with json data?

Is it possible to send a custom POST CORS request with json data?

I found that the website example.com is vulnerable to CORS and it’s accepting my origin header:

https://mywebsite.com

, however the request is a POST one and if i try without any post data i get: {"errorCode":"invalid","message":"Invalid json body","statusCode":400}

I was wondering if it’s possible to send cors requests containing json data. If it’s possible how should i edit my proof of concept code?

At the moment i’m using the following:

<script> var createCORSRequest = function(method, url) {   var xhr = new XMLHttpRequest();   if ("withCredentials" in xhr) {     // Most browsers.     xhr.open(method, url, true);   } else if (typeof XDomainRequest != "undefined") {     // IE8 & IE9     xhr = new XDomainRequest();     xhr.open(method, url);   } else {     // CORS not supported.     xhr = null;   }   return xhr; };  var url = 'https://example.com/api/v1/post'; var method = 'POST'; var xhr = createCORSRequest(method, url);  xhr.onload = function() {   // Success code goes here. };  xhr.onerror = function() {   // Error code goes here. };  xhr.withCredentials = true; xhr.send(); </script> 

But i’ll need to add {"id":"test","name":"test"} as POST json data to my PoC to make it work. How could i do that?

Prevent Cross-site WebSocket hijacking with a custom header and no CORS

Considering I am vulnerable to Cross-site WebSocket hijacking, so my WebSocket handshake (GET to example.com/wss) does not require a random (CSRF) token.

I have defined no CORS settings, so no custom headers can be added to cross-site requests.

Would it theoretically be enough to add a static custom request header, that is required for the WebSocket handshake to prevent a Cross-site WebSocket hijacking?

CORS policy during development

Does the CORS policy add any value during the development phase? Should I develop with CORS on or off? The development is occurring in a distributed environment and there are no local copies of components, only a testing environment where components are uploaded and tested (not on the same servers, so CORS still apply). If I should enable the CORS policy, how should I set it up so my distributed teams can work against my back-end server from their development environments ?

This question was strongly influenced by this one : should-i-develop-with-tls-on-or-off

Is CSRF protection required for sensitive GET requests with CORS enabled?

Based on other questions, it seems protecting GET resources with CSRF tokens is useless. However, that quickly becomes untrue when CORS gets thrown into the mix

I have a server domain server.com and a UI app at client.com. The server.com domain handles user auth and sets a session cookie under the server.com domain. It also has a rest-like endpoint that serves GET requests at /user_data and returns sensitive user data to users with a valid session. The 3rd party UI at client.com needs access to the user_data in an AJAX call, so CORS is enabled at the /user_data endpoint for the origin domain client.com via Access-Control-Allow-Origin.

The endpoint in question has no side effects, although it serves sensitive data to a 3rd party. Do I need to implement some CSRF token protection for the endpoint? Could the user_data be read by a compromised client.com webpage (via persistent XSS)? If so, can I use a query param mechanism of CSRF token exchange? The way I understand it, it’s the only option, because the client.com cannot read csrf tokens stored in a server.com cookies. However OWASP guidelines state that:

Make sure that the token is not leaked in the server logs, or in the URL.

If that’s also a problem, how can I secure my application?

With the existance of CORS, what further purpose does same origin policy serve?

I’ve been using CORS for a while and I think I understand it. But as far as I can tell, because the allow-origin header is provided by the server being called, which an attacker can control as they see fit, same origin policy cannot prevent an injected script from calling an attackers server.

Furthermore, by using my own server as a proxy, and spoofing headers, I can essentially make any HTTP call to any server in the world, regardless of their CORS settings.

Assuming an attacker can do whatever they want with their server, does this mean that same origin policy is dead?