Are XSS protection techniques required on server side considering modern browsers?

Asked Dec 08 '15 at 17:41

Active Dec 08 '15 at 17:43

Viewed 75 times

Is it true that:

Modern browsers add "origin" header to ANY cross-domain request.
Modern browsers look for "Access-Control-Allow-Origin" header in response and do not process response body if there is no this header.

Hence server does not need use CSRF token to protect users with modern browsers. And server does not need CORS if cross-domain requests are undesirable.

In other words, are these statements true?

modern browsers protect user data from XSS and no special actions required on server side if cross-domain requests are undesirable
CORS on server side is required only if it is necessary to allow some trusted domains perform cross-domain requests
CSRF token is required for old browsers only

edited Dec 08 '15 at 17:43

Maxime Rouiller

13,614
9
57
107

asked Dec 08 '15 at 17:41

onetuser

2

you shouldn't rely on browsers to provide security. – Robbert Draaisma Dec 08 '15 at 17:50
You are (almost) save only when you check the input provided by the user server-side. PHP has already a lot of native functions to do this. – Franco Dec 08 '15 at 18:02

Are XSS protection techniques required on server side considering modern browsers?

0 Answers0