This question is about protecting against Cross Site Request Forgery attacks only. It is specifically about: Is protection via the Origin header (CORS) as good as the protection via a CSRF token? Example: Alice is logged in (using a cookie) with her browser to https://example.com. I assume, that she uses a modern browser. Alice visits https://evil.example, and evil.example’s client side
Tag: cors
What’s to stop malicious code from spoofing the “Origin” header to exploit CORS?
The way I understand it, if a client-side script running on a page from foo.com wants to request data from bar.com, in the request it must specify the header Origin: http://foo.com, and bar must respond with Access-Control-Allow-Origin: http://foo.com. What is there to stop malicious code from the site roh.com from simply spoofing the header Origin: http://foo.com to request pages from
Why does my http://localhost CORS origin not work?
I am stuck with this CORS problem, even though I set the server (nginx/node.js) with the appropriate headers. I can see in Chrome Network pane -> Response Headers: which should do the trick. Here’s the code that I now use to test: I get XMLHttpRequest cannot load http://stackoverflow.com/. Origin http://localhost is not allowed by Access-Control-Allow-Origin. I suspect it’s a problem
Cross-domain connection in Socket.IO
Is it possible to use Socket.IO in a cross domain manner? If so, how? The possibility is mentioned around the web but no code examples are given anywhere. Answer Quoting the socket.io FAQ: Does Socket.IO support cross-domain connections? Absolutely, on every browser! As to how it does it: Native WebSockets are cross-domain by design, socket.io serves a flash policy file