Developers don't understand CORS (2019)
6 hours ago
- #Web Security
- #Developer Education
- #CORS
- Many web developers struggle with understanding CORS, leading to security vulnerabilities.
- A recent Zoom vulnerability involved a localhost web server using image dimensions to bypass CORS, exposing the system to attacks.
- Chrome does respect CORS headers for localhost, contradicting a common misconception mentioned in the Zoom case.
- A secure implementation would use REST APIs with proper Access-Control-Allow-Origin headers and Content Security Policy to restrict access.
- The Zoom approach compromised user predictability and security, highlighting poor user experience design.
- CORS confusion is widespread across developers of all experience levels, with insecure examples often shared online.
- Developers sometimes bypass same-origin policies to make code work, which can lead to significant vulnerabilities.
- The issue raises questions about whether the CORS API is too complex or if better education is needed.