During the interview, I was asked about CORS security, but I couldn’t answer it. I would like to ask everyone for advice.
CORS sets Access-Control-Allow-Origin on the server side. If it is not set to *, isn't it possible that only the specified domain can initiate a request? Otherwise, it will be intercepted by the browser. I have seen that http headers can be forged. , but manually setting Origin will also be blocked by the browser. Where is the vulnerability of CORS? What's the solution? Thanks
https://developer.mozilla.org... Browser Compatibility
On the contrary, I think CORS intersecting with JSONP is a safer cross-domain method and a standard cross-domain method.
Access-Control-Allow-Origin is a domain whitelist that allows requests. Only those in this domain will the server unify cross-domain requests. If the whitelist is set appropriately, CSRF attacks can be avoided.
I think this question may require you to consider the problems you face if Access-Control-Allow-Origin is *.
The ones set to * are generally public APIs. In order to avoid frequent requests or DDOS, there are usually additional steps for key verification and the frequency and number of requests are limited.
Also, although CORS does not transmit cookies by default, it can be allowed by setting Access-Control-Allow-Credentials to true, which may also lead to the risk of CSRF attacks.