| Details | |
|---|---|
| Alert ID | 40040-1 |
| Alert Type | Active |
| Status | beta |
| Risk | Informational |
| CWE | 942 |
| WASC | 14 |
| Technologies Targeted | All |
| Tags |
CWE-942 OWASP_2017_A05 OWASP_2021_A01 POLICY_PENTEST POLICY_QA_CICD POLICY_QA_FULL POLICY_QA_STD WSTG-V42-CLNT-07 |
| More Info |
Scan Rule Help |
Summary
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP).
Solution
If a web resource contains sensitive information, the origin should be properly specified in the Access-Control-Allow-Origin header. Only trusted websites needing this resource should be specified in this header, with the most secured protocol supported.Other Info
References
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS
- https://portswigger.net/web-security/cors