2

I see that we can't make direct web request to the web server through another domain when CORS is not enabled.

However there are multiple way to break this security (ex. using proxies) and these tweaks works like a charm.

Recently I had a similar issue, I wanted to use a web service which I do not own. Also they have disabled the cross domain requests but I followed this article and using this it allowed me to consume the service!

We can use the service which was developed and hosted by someone for their personal domain use (by disabling CORS). Isn't this a serious security breach?

How can we make sure that If I disable CORS on my REST INTERFACE no one should be able to tweak and use it?

Paresh Varde
  • 1,084
  • 3
  • 16
  • 39

1 Answers1

0

CORS isn't intended to prevent people from calling the API.

CORS is intended to prevent people from attaching credentials which may be used to attack the service automatically.

If I make a call to google.com/secret-service, then normally my google.com auth cookie will automatically be attached, and the service will be called with my credentials.

If I make a call to proxy.com/secret-service, then my google.com cookie isn't attached. It's now up to the application to authenticate and demonstrate that it's actually allowed to call google.com/secret-service.

Peter Dolkens
  • 133
  • 1
  • 7