The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

guysagy (2) [Avatar] Offline

Can you clarify on which server the CORS filter needs to be installed, and the reason/logic for that ?

Lets assume that page "mypage.html" is installed on server A , and it issues an Ajax Http request to server B. Then it , potentially, may post/send "secret" data from A to B, which needs to be avoided (or granted explicitly).

In section 4.4.1, page 120, it says: "The server can also send a wildard ... if .. all origins are allowed to make requests to that server". So it seems to me that the text says that the CORS filter needs to be installed on server *B*. That is also my understanding of explanations from other sites on the subject.

However, my thinking is that it is server A [from which the 'secret' data was taken] that needs to grant the browser permission to post to server B. So, my understanding, is that the CORS filter needs to be installed on server *A*.

Can you please clarify on which server to install the filter, and the logic for that ?

Thank you very much,
guysagy (2) [Avatar] Offline
Re: Question re CORS Filter

OK, I think I got it:

The filter indeed needs to be installed on server B. The logic is this:

The scenario of legitimate data taken from A and being posted to an exploiter B is not affected by the CORS filter. The browser's default behavior remains (to disallow it) in this scenario.

Installing the filter on B allows or prevents the following scenario:
A is an exploiter:
B is a bank:
If A masquerades itself to B, users might input their credentials into A, then A can use these credentials to use cross-domain HTTP [from the same web page] to log into B .... the CORS filter on B will disallow these requests while (potentially) granting requests from other, legitimate, sites.


Message was edited by: