How to setup CORS for XMLHttpRequest?

C

cen1ou2022-03-17 11:57:01

CORS

cen1ou, 2022-03-17 11:57:01

I want to draw your attention right away, I am a specific teapot, I am just starting to study information security and everything connected with it.
The goal is to allow reading and displaying the contents of the user_info.html page of the localhost domain only from the trustedhost.com domain.
There is a user_info.html file with arbitrary content on the localhost domain that is being requested.
There is also a request.html file on the attacker.com domain from which the XHR request is sent:

<body>
    <script>
      function loadData() {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://localhost/user_info.html", false);
        xhr.send();
        
        if (xhr.status != 200) {
          alert(xhr.status + ': ' + xhr.statusText);
        } else {
          alert(xhr.responseText);
        }
      }
    </script>
    <button onclick="loadData()">getdata</button>
  </body>

nginx configuration file:

location / {
             add_header 'Access-Control-Allow-Origin' 'http://trustedhost.com';
             try_files $uri $uri/ =404;
}

The problem is in the header of the CORS response to the XHR request, it looks like this:
Access-Control-Allow-Origin: *

This header value is only in the XHR request.
That is, everything looks as if the nginx config is not used specifically for the cors request. In the request for the page, the server emits the headers as needed.