I'm trying to understand why cross-domain requests without credentials are not allowed (by default, without setting up a server to return the Access-Control-Allow-Origin header). When a request has credentials all is pretty straightforward - one can fulfill some malicious actions on your behalf on other sites, for example on Facebook, if you have logged in on it.
For example, the request
xhr = new XMLHttpRequest();
xhr.open('GET', 'http://www.google.com');
xhr.send();
produces the error (I executed it in Chrome's console from this site):
XMLHttpRequest cannot load http://www.google.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://stackoverflow.com' is therefore not allowed access.
So, the server must send an appropriate header (e.g Access-Control-Allow-Origin: * ) to this request can work.
This is just a simple request and no cookies are sent. What's the reason for such a restriction? What security issues might take place if such CORS will be allowed?
without credentials - without cookies:
default settings for XMLHTTPRequest is withCredentials = false
, so no cookies are sent in the request - link.
I'll go ahead and liberally steal from Security.SE's Why is the Access-Control-Allow-Origin header necessary?
The main concern here is access control based on network topology. Suppose you run a HTTP service on your home network (in fact, you almost certainly do, if your router itself has a Web interface). We'll call this service R
, and the only machines connected to your home router can get to the service.
When your browser visits evil.example.com
, that site serves your browser a script, telling it to fetch the contents of R
and send it back to evil.example.com
. This is potentially bad, even without credentials, because it's a violation of the assumption that no one outside your local network can view the services running inside your local network. The same-origin policy stops this from happening. If the same-origin policy only came into play when credentials were involved, it would opens up the possibility of bypassing topology-based protections.
Consider also that some public services allow access based on IP address:
In all of the cases listed here, a browser could be used as an unwitting proxy for any site that serves it a script.