This question is about protecting against Cross Site Request Forgery attacks only. It is specifically about: Is protection via the Origin header (CORS) as good as the protection via a CSRF token? Example: Alice is logged in (using a cookie) with her browser to https://example.com. I assume, that she uses a mo…
Tag: cors
What’s to stop malicious code from spoofing the “Origin” header to exploit CORS?
The way I understand it, if a client-side script running on a page from foo.com wants to request data from bar.com, in the request it must specify the header Origin: http://foo.com, and bar must respond with Access-Control-Allow-Origin: http://foo.com. What is there to stop malicious code from the site roh.co…
Why does my http://localhost CORS origin not work?
I am stuck with this CORS problem, even though I set the server (nginx/node.js) with the appropriate headers. I can see in Chrome Network pane -> Response Headers: which should do the trick. Here’s the code that I now use to test: I get XMLHttpRequest cannot load http://stackoverflow.com/. Origin htt…
Cross-domain connection in Socket.IO
Is it possible to use Socket.IO in a cross domain manner? If so, how? The possibility is mentioned around the web but no code examples are given anywhere. Answer Quoting the socket.io FAQ: Does Socket.IO support cross-domain connections? Absolutely, on every browser! As to how it does it: Native WebSockets ar…