Full Disclosure: Pros and cons of 'Access-Control-Allow-Origin' header?

Pros and cons of 'Access-Control-Allow-Origin' header?

From: David Blanc <davidblanc1975 () gmail com>
Date: Thu, 23 Feb 2012 00:07:08 +0530

Does 'Access-Control-Allow-Origin' header provide any benefits in
defending against cross site scripting attacks?

Doesn't 'Access-Control-Allow-Origin' header make any XSS flaw
trivially exploitable? For example, if an attacker finds an XSS flaw
in a web application, he can now inject a JavaScript with
XMLHttpRequest that sends a request to attacker's web server which
serves resources with the HTTP header "Access-Control-Allow-Origin:
*". The browser would see this header and fetch the resource from the
attacker's web server.

Isn't the web a safer place without this header?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Pros and cons of 'Access-Control-Allow-Origin' header? David Blanc (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michele Orru (Feb 22)
  - Re: Pros and cons of 'Access-Control-Allow-Origin' header? David Blanc (Feb 22)
- Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michal Zalewski (Feb 22)
  - Re: Pros and cons of 'Access-Control-Allow-Origin' header? Michele Orru (Feb 22)