{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 够拽才男人 的问题《CORS & CSRF - clarification?》','https://www.manongdao.com/q-737960.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've been using CORS for a long time for allowing ajax responses to be read from another domain.
I had a discussion with a colleague about CORS and- while discussion - he supplied an example which I thought was irrelevant to the CORS issue.
He said :
the same origin policy is so that if you're logged into your bank and go on my site, I can't exploit your credentials and make a cross origin request to your bank and send myself money.
But that's seemed to me as a pure csrf attack , which not relates to CORS ( unless reading the ajax's response ) :
So I said :
About the thing you wrote : "if you're logged into your bank and go on my site, I can't exploit your credentials and make a cross origin request to your bank and send myself money."........If I go to your site and you run ajax request to the bank : the bank server WILL see the request . and if you run ajax request withCredentials , the cookies WILL be sent I think you're talking about CSRF attack to block
Then he said :
no, CSRF is something different. CSRF is when I sneak an image or a button to make a request on your site to bypass the same origin policy.
(IMHO - no ! - you don't have to sneak anything to my site. CSRF is when you make an unwanted request on my behalf to do evil things - you don't have to sneak anything )
So I told him :
You can send me html form which posts to a known location for example - bank And so the solution is cookie / hidden field match to a server value So if the malicious site is doing a request - it won't have the hidden field value Your example - talks about csrf attack . The part where you cant read the response - is the only cors part. im just saying that the bank example was a bit irrelevant here ( to the CORS discussion)
He said :
Of course it was relevant
Finally I said :
IMO - CORS was designed for ( example) :
For a.com to run ajax requests to facebook to get all friends - its where comes more relevant
Question :
For Learning , and getting better and In order to solve this confusion and feel at peace - was I right ?
The short answer is that for his attack to be possible, given the premise that any mutations would be issued using POST/PUT/DEL, your bank would have to enable CORS in order for the XHR to be allowed (the preflight checks would fail otherwise) AND be susceptible to a CSRF attack.
Of course, if the bank was susceptible to CSRF, a simple form post would do the trick as well.
So you are right. CORS does not prevent CSRF, all it does is relax the restrictions enforced by the Same Origin Policy.