If CORS is properly setup on a server to only allow a certain origins to access the server, is this enough to prevent XSRF attacks?
question from:https://stackoverflow.com/questions/19793695/does-a-proper-cors-setup-prevent-xsrfIf CORS is properly setup on a server to only allow a certain origins to access the server, is this enough to prevent XSRF attacks?
question from:https://stackoverflow.com/questions/19793695/does-a-proper-cors-setup-prevent-xsrfTo be more specific, it is easy to make the mistake of thinking that if evil.com cannot make a request to good.com due to CORS then CSRF is prevented. There are two problems being overlooked, however:
CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.com make a request to good.com. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that.
Is it easy to overlook the fact that CORS is only for JS request. A regular form on evil.com that POSTs back to good.com will still work despite CORS.
For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.