Lets say I own a site www.a.com which shows some information to the user after logging him in. Here is the flow (assume everything is over https even if not explicitly mentioned) -
Just looking at the code anyone can know that the two APIs the JS uses are www.a.com/login and www.a.com/getdata
Now here are the scenarios I get confused over -
IF a rogue entity (or someone like mint) creates a site (www.r.com) that asks for the user password and posts it to the APIs can my server know it? Here the JS is not from a.com but completely re-written by r.com. Do the CORS rules or same origin policy apply here?
Another scenario, IF www.r.com embedded a frame on its page that is loading www.a.com and asking for user name and passwd there, that means its actually loading the a.com JS. In this case, can JS from r.com access the data sent down to the frame loading a.com?
Do the CORS rules or same origin policy apply here?
Yes. Per the Same Origin Policy the script on r.com will not be able to read the results of any request it makes to a.com. Therefore it will not be able to read the login token. If you add CORS support then you can opt-in to allowing r.com access, in which case it will be able to interact freely with your site.
Note that if r.com is a malicious site and is able to get the user to enter their password, the browser's Same Origin Policy won't actually protect the user. The malicious page can just send the information to their own server where arbitrary requests can be sent to your site with the user's credentials.
Can JS from r.com access the data sent down to the frame loading a.com?
The Same Origin Policy applies to iframes as well, so the r.com script will not be able to access the data sent to the a.com iframe.