Hello,

Can you clarify on which server the CORS filter needs to be installed, and the reason/logic for that ?

Lets assume that page "mypage.html" is installed on server A , and it issues an Ajax Http request to server B. Then it , potentially, may post/send "secret" data from A to B, which needs to be avoided (or granted explicitly).

In section 4.4.1, page 120, it says: "The server can also send a wildard ... if .. all origins are allowed to make requests to that server". So it seems to me that the text says that the CORS filter needs to be installed on server *B*. That is also my understanding of explanations from other sites on the subject.

However, my thinking is that it is server A [from which the 'secret' data was taken] that needs to grant the browser permission to post to server B. So, my understanding, is that the CORS filter needs to be installed on server *A*.

Can you please clarify on which server to install the filter, and the logic for that ?

Thank you very much,
Guy

Hi,

OK, I think I got it:

The filter indeed needs to be installed on server B. The logic is this:

The scenario of legitimate data taken from A and being posted to an exploiter B is not affected by the CORS filter. The browser's default behavior remains (to disallow it) in this scenario.

Installing the filter on B allows or prevents the following scenario:
A is an exploiter: exploit.com.
B is a bank: bank.com.
If A masquerades itself to B, users might input their credentials into A, then A can use these credentials to use cross-domain HTTP [from the same web page] to log into B .... the CORS filter on B will disallow these requests while (potentially) granting requests from other, legitimate, sites.

Thanks,
Guy

Message was edited by:
guysagy