Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
G
G
gera72021-05-11 10:36:07
CORS
gera7, 2021-05-11 10:36:07

Why is it dangerous to specify Access-Control-Allow-Origin: * (allow access to a resource from any origin) on the server?

There is a payment system, requests for creating payments are made via API.
Its documentation is written in .php, but I know JavaScript and try to send XMLHttpRequest / Fetch requests, while catching an error:
" No 'Access-Control-Allow-Origin'

Right now I see 2 options:
1. Raise your proxy server to bypass CORS Requests going to the proxy, the proxy sends a request to the server and receives a response to which it adds Access-Control-Allow-Origin and sends it to the browser (this option is working, tested on a public proxy server)
2. Write to the support of the payment system and ask add Access-Control-Allow-Origin: *

Question:
1. What are the disadvantages of the first option?
2. Why is it dangerous for a payment system to allow access to a resource from any source according to option 2?
3. Is it possible for them to make changes or will they ignore me?

If Access-Control-Allow-Origin: * is an insecure method, then why is it so easy to bypass it through a proxy?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
Anatoly Medvedev, 2021-05-11
@balamyt92

2. Why is it dangerous for a payment system to allow access to a resource from any source according to option 2?

The fact that this opens up a lot of opportunities for the simplest XSS, phishing and all the ensuing problems. The payment system cannot afford this.
3. Is it possible for them to make changes or will they ignore me?

They will laugh at you, you will get into the humorous selection "the client wants strange" in the internal mailing list.
1. What are the disadvantages of the first option?

Well, this is your resource and its vulnerabilities.

Report
S
SagePtr, 2021-05-11
@SagePtr

If the API methods are intended for server-server interaction, then you need to pull them on the server side in your PHP script, and not take it out to the client. If you create a payment on the client side, then how will your server then make sure that the payment was really there?

Similar questions
A
Alexey Nikolaev2018-03-29 21:14:12
Why doesn't CORS work in Internet Explorer 11? 0Reply
D
Denis Sokolov2021-10-10 11:11:56
How to disable CORS in C# .net WEB API? 3Reply
S
saqo_tadevosyan2020-07-20 09:42:34
Error when sending a request to VK? 1Reply
A
Abra Kadabra2020-07-20 14:58:11
How to count the meta tags of a page in a wiki without a backend? 1Reply
D
dikium2020-07-24 15:18:00
Why does sending application/json via axios cause a CORS error? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question