csrf - Does a proper CORS setup prevent XSRF?

Question

Welcome To Ask or Share your Answers For Others

csrf - Does a proper CORS setup prevent XSRF?

1 Answer

深蓝 · Answer 1 · 2021-10-06T06:00:43+0000

To be more specific, it is easy to make the mistake of thinking that if evil.com cannot make a request to good.com due to CORS then CSRF is prevented. There are two problems being overlooked, however:

CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.com make a request to good.com. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that.
Is it easy to overlook the fact that CORS is only for JS request. A regular form on evil.com that POSTs back to good.com will still work despite CORS.

For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.

Categories

csrf - Does a proper CORS setup prevent XSRF?

csrf - Does a proper CORS setup prevent XSRF?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags