5

I'm implementing CORS (Cross-origin resource sharing) in a framework.

I know that when an XMLHttpRequest request is made using Jquery's ajax(...) and the withCredentials property is true, the server must respond those two things:

  • Access-Control-Allow-Credentials: true
  • Access-Control-Allow-Origin:[THE_DOMAIN]

The server can't response with a wildcard, Access-Control-Allow-Origin:*: that doesn't work!

My question: how do I know, on the server, that withCredentials: true has been used, so I don't use the wildcard?

I compared the headers sent when using withCredentials: false and when using withCredentials: true and they are identical!

So, if I do want to allow credentials when the client requests it, does it mean I can't, ever, use Access-Control-Allow-Origin:*?

electrotype
  • 8,342
  • 11
  • 59
  • 96
  • 1
    If `withCredentials` is set to true you should also receive any cookie set on the origin domain, I'm not sure sure whether this is true for the initial request or only after the server has responded with `Access-Control-Allow-Credentials: true` (I can imagine both scenario's to be true, though I assume the latter to be the most plausible). As for the wildcard, I tend to always specify the allowed domain (from the origin header). [this answer might help](http://stackoverflow.com/a/21851378/2579117). – Rogier Spieker May 02 '16 at 22:04
  • @RogierSpieker When a query is made with `withCredentials: true` but without any cookie, it also fails with the wildcard. I don't think it's desirable to force the client to send a cookie when he uses `withCredentials: true`... You don't know the logic of his code. So you can't really rely on the presence of a cookie, I think. Thanks for the help! – electrotype May 02 '16 at 23:42
  • I wasn't implying that one should force a cookie to be set, merely that it would happen if `withCredentials: true` is set. In which case the presence of a cookie would indicate `withCredentials` to be `true`. – Rogier Spieker May 03 '16 at 10:25

1 Answers1

2

So, if I do want to allow credentials when the client requests it, does it mean I can't, ever, use Access-Control-Allow-Origin:*?

Yes.

The point of Access-Control-Allow-Origin:* is that it lets you, with very little effort, grant access to every website. It lets you say "This data is public and anyone can access it".

If you require credentials to access the resource, then it doesn't make sense to say "This data is public and anyone can access it".

If you were to grant access to every website, then every website visited by someone logged into your site could read the data from it (effectively making it public).

So, you need to have a whitelist of trusted sites that are allowed to access the data and then check the Origin header before explicitly granting access to them.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • I guess you are right! But then I'm still not sure why anyone would ever want to use the wildcard version! I mean, you simply have to copy the `Origin` header of the request to a `Access-Control-Allow-Origin` header of the response and this also "grants very website" and you also allow credentials doing so... Is there something else the wildcard versio allows that is lost when using that "header copy" trick? – electrotype May 02 '16 at 22:10
  • 1
    You can stick a header with a static value in with one line of code in a server configuration. Dynamically echoing the Origin header is more effort. – Quentin May 02 '16 at 22:13