Show Menu
Cheatography
  1. Home >
  2. Programming >

Cross-origin Resource Sharing (CORS) Cheat Sheet (DRAFT) by

Cross-origin Resource Sharing (CORS)

This is a draft cheat sheet. It is a work in progress and is not finished yet.

CORS headers

Access­-Co­ntr­ol-­All­ow-­Origin
Instructs the browser which origin may process the response
Access­-Co­ntr­ol-­All­ow-­Cre­den­tials
Instructs the browser whether responses to creden­tialed requests may be processed

Check for reflected origin

Usage
Origin: xzy.com
TODO: Explain

Check for null origin

Usage
Origin: null
TODO: Explain

Check for target as subdomain of malicious domain

Usage
Origin: target.co­m.m­ali­cio­us.com
TODO: Explain

Check for a random subdomain of target

Usage
Origin: xyz.ta­rge­t.com
TODO: Explain
  

Values for Access­-Co­ntr­ol-­All­ow-­Origin

<do­mai­n>
Allow a single domain origin
*
Allow any domain origin
Allow-Credentials is forbidden
null
Allow the null origin

Values of Access­-Co­ntr­ol-­All­ow-­Cre­den­tials

true is the only permitted value of the header. If it is missing, the browser will prohibit processing responses for creden­tialed requests.

This header is forbidden if the wildcard origin (*) is used.

Mitigation

TODO: List mitigation against the vulner­ability