something I don't think I've ever seen explained is whether there's any situation where it's safe to set "Access-Control-Allow-Origin: *" other than "if your site literally never serves any private data"
(I often hear "don't do it" which is fair I guess, but also like the Mastodon API intentionally sets Access-Control-Allow-Origin: * and that's extremely useful)
also is there any name for the attack(s) that setting "Access-Control-Allow-Origin: *" might expose you to? i feel like it's so much easier to talk about security stuff in terms of the specific threats we're trying to avoid, but I can't think of the name for it
(edit: I think it's CSRF)
Julia Evans
Viss
Adam Katz
TaggartACAO: *.@mttaggart @b0rk I think this is the other thing that's challenging about CORS (and security in general) -- it's hard to get a "yes, that's safe" answer. There's a mix of "it depends" and "here's _one_ example of an unsafe pattern", but "I know two unsafe patterns" does not indicate that all other patterns are safe.
In general, it's hard to prove a negative (i.e. "there are no security flaws in this design"), and since the security discussion is generally pointed towards risk-avoidance, you'll rarely get clear "do X" advice. If you can produce some on this (like a "web security basics" zine), I would buy it. 😁
@b0rk What that page misses is consideration of the question: is there any chance the content on my site could be used maliciously?
That is, if my site allows user-uploaded content, how sure am I that there's zero chance my site might end up hosting something malicious?
Which, of course, has nothing to do with credentials.
Or, I guess, put another way: yes, credential and identity exfiltration is one vulnerability addressed by CORS (and CSP), but it's not the only one.
One specific example here is a scenario where a site allows users to upload their own avatar image, say in PNG format. But instead of sending a PNG, the user uploads a JS file but sends its content-type: image/png. The site thinks "it's just an image" and doesn't bother to check that the content is actually valid.
If that site then has ACAO: *, it has just become a hosting service for malicious code.
Write-up for an SVG alternative to this attack: https://www.cloudflare.com/cloudforce-one/research/svgs-the-hackers-canvas/
@b0rk Which just gets us back to: it's not that * is bad, it's that it has inherent risks that you really have to think through, and thus shouldn't be offered as the default "just do this to fix it" solution.
This is one of the reasons the similar configs in CSP explicitly use the word unsafe when you're doing something unsafe. This is, IMO, significantly better DX, because the dev will hopefully be less likely to just copy and paste without understanding the risks.
It's unfortunate the Access-Control-Allow-* headers didn't use similarly evocative language.
@ricko thanks so much for that example! I would never have thought of that. i'm thinking about this * thing because (while I like to be as conservative as possible when setting permissions) I definitely had some wrong beliefs about why ACAO: * was bad and I like to know _why_ something is unsafe
I like the CSP naming and also with CSP it seems more obvious to me what the risks of allowing arbitrary code to run on my site are
I like to know why something is unsafe
Yeah, absolutely. I like the CSP stuff at https://content-security-policy.com/ because it includes lots of very practical guidance on when and when not to use each option. I think the CORS space could really use something similar, where it has very real-world scenarios.
"Do you want other sites to be able to use your images? Your JS?"
"Does your site offer embeddable content, such as via iframe?"
"Does your site allow users to upload content?"
"Is your site accessible via multiple domain names?"
etc, etc. It could then offer similar risk discussions and mitigation scenarios. "Always ensure images are actually images." "Never allow users to upload JS files." "Reject all SVG files with script tags."
doesn't that work in absence of A-C-A-O?
As a script or img, yes. (Presuming poor CSP setup.) But we've also seen plenty of naive user agents which don't pay attention to the content-type and will instead content sniff. MSIE was a classic example. We're seeing similar vulnerabilities in AI agents.
in what scenarios an attacker can cause another site to embed that script tag, but neither an inline script tag, nor a script src=bar tag that points at any of the pastebin sites
I could see a scenario like this:
evana
Rick Osborne
robrykscript or img tags to slip through, like that username.@robryk @b0rk You're right, for that specific example. I ran out of characters and oversimplified.
In today's world of SPAs, it's just as likely that this could be done without script tags, just some field where the user enters a URL. For example, "use this image at this URL as the cover art for this album" or "as the start for this generative AI thing".
That URL gets fetched, sent back as JS (through poor sanitization on bad-cors.example), and then the * tells the browser to allow it to run.
That still requires some exceptionally poor code on the fetch side of things, but that's always the case with vulnerabilities: they don't have to be likely, just possible, because the infinite monkeys which make up the Internet will eventually trip across the specific very bad combination.
@robryk @b0rk Yeah, in a sense, A-C-A-O: * is effectively telling the world: "I attest anything accessible from bad-cors.example to be safe to use absolutely anywhere".
Which is reasonable only when bad-cors.example has seriously vetted all the ways they expect their content to be used, and considered all the ways it might be abused.
When you introduce user-managed content into that, those stories get significantly more complex. But if, for example, I wrote up some JS which I wanted to share with the world and I wanted to be usable anywhere, and it was always under my control, then * is perfectly fine and reasonable.
it feels like CSP would benefit from a feature where a resource could be repudiated for CSP-related purposes
CSP does have a repudiation feature where you can really lock it down. Safelist instead of blocklist.
https://content-security-policy.com/hash/
Many modern build systems will generate these by default and embed them in the HTML which loads the JS for the app. (You can send them in the HTTP headers, but that's actually very rare, as now you need to synchronize your headers with specific content versions, which is a pain.)
While these hashes are also useful for Sub-Resource Integrity (tamper detection), they work just as well for attestation. "When loading this app, these are the hashes of the exact list of scripts, css, images, etc, which I expect to be loaded and used."
I just built a system for this a few months ago at my previous employer. It's fiddly to set up, but it really helps raise visibility of when something changes in your build/deploy system, whether intentional or not.
@[email protected] And there's another line by which every modern dev has to greet the hat of browsers bowing to people's inability to follow standards: <meta name="color-scheme" content="dark light"> Way before smartphones and dark mode, I was taught by @[email protected] to not assume default colors, and thus to only set foreground colors I also set background colors -- in case someone has unconventional defaults. (Along with using percentages vs absolute lengths to work, and not assuming any DPI value).
@b0rk
Off the top of my head check out "HTTP verbs and CSRF" on Wikipedia
https://en.wikipedia.org/wiki/Cross-site_request_forgery
(Though idk if CSRF is the right name for these attacks, it's got a nice ring to it)
@b0rk It's reductive, but in general, don't ever set it to *.
The one place where it's reasonable (but still not great) is multi-tenant hosting. That is, a single site/app which could be homed under any number of domains. In such a scenario, it may be more trouble than it's worth to try to have preflight responses check the Origin.
If you know you aren't serving JS assets or anything which could reasonably be exploited, then, on paper at least, you can justify just using *.
The trick with that, though, is if you are serving any user-uploaded content, then you can't 100% trust even that. Things like JS-in-SVG exploits are very real, as are things like the big WebP problem a few years back. You can try to rely on your media upload and handling pipeline to detect such problems, but you're then accepting some risk.
Another place it's commonly used is embeddable content. But even that, I'd argue, should be handled on a dedicated domain. It's work, but it's worth it.
@b0rk It's a fair question.
I think the easiest way to answer would be to say: if I was undergoing a security review of my app (in this case Mastodon), and the auditors were very savvy, they would ask me to justify why I specifically used that configuration. I would want to have a decision record document on hand — or at the bare minimum a nice juicy comment in the code right above that * — explaining why it was set that way.
For massive OSS like Mastodon, I would also want to be able to point devs at a similar document (maybe the same one). Not just to guide devs on that code, but also to guide devs using that code as a reference for developing something else. Or, increasingly, to get it in front of the LLMs which are going to tell devs to replicate that outcome.
Maybe the Mastodon devs have a good, tested, reasonable explanation for using it. Maybe it's something I haven't considered.
But if it's not documented, IMO, it's not really a reason, it's just an accident of inertia.
@b0rk Looking at the Mastodon source, it seems like there's not a ton of explicit intent around CORS — it seems like it's just using the off-the-shelf config for Rack-CORS:
https://github.com/mastodon/mastodon/blob/main/config/initializers/cors.rb
Out of the box Mastodon only supports a single domain. An .env.production has a LOCAL_DOMAIN config which could be used to check the preflight Origin headers, instead of using *.
But ... having said that, CORS is, as you have seen, very frustrating, and easy to misconfigure. Maybe they just don't want a zillion tickets from people trying to get their local instance running, but failing due to CORS misconfig.
@b0rk I also feel like people forget that POST is fine cross-origin. You just can't read the response (beyond status code): https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#simple_requests
(This is why CSRF has been a thing since well before CORS came about)
The rules around cross-origin POSTing are a bit complex / restricted nowadays, but the most common stuff has worked since the very earliest days of HTTP until now.
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.
@groxx i find it so hard to remember which POSTs are allowed and which aren't (like an "application/x-www-form-urlencoded" content type is allowed but "application/json" isn't??)
the rules feel arbitrary to me, kind of like they wanted to restrict POSTs more but couldn't because of backwards compatibility
@robryk interesting, I hadn't thought of it that way.
If that's true it does feel like it would contribute to a perception of same-origin restrictions as being "arbitrary"
@robryk one aspect of "hotlinking prevention" that just occurred to me though is that some APIs are not really "appropriate" to use in a frontend context
like I don't think it would make sense to use the Twilio API in a frontend context, because of the way its auth works, you wouldn't want to expose your API key in your frontend in that way
so if I was the developer of that API I might not set A-C-A-O to discourage that kind of usage? Not sure.
@b0rk @freddy My understanding is that it is designed to be safe to set for any site that is reachable from the public Internet.
In other words, a bunch of early browser security model decisions were made to prevent exfiltration of data from behind corporate firewalls.
ACAO:* is designed to be the thing that you can set globally in the server configuration for servers that are public, to fix the things that don't need to be blocked for public servers.
Erik Sturcke
chrysn
jub0bs
Ted Mielczarek
luca
Niko~ 🇱🇺 
Artemis
Lisa Gaudette
groxx
Frederik Braun �
Anton 🇺🇦🇪🇺
L. David Baron