jameshfisher.com
jameshfisher.com copied to clipboard
jameshfisher
CORS vs. "I can see your local web servers"
Regarding, http://http.jameshfisher.com/2019/05/26/i-can-see-your-local-web-servers:
When I open up a server on my local network and try out your page, the JS console log gives me:
Access to fetch at 'http://192.168.0.1/' from origin 'http://http.jameshfisher.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
It seems to me that in all cases the requests you're talking about should be blocked from getting any data (beyond information that the port is open) by CORS, as per the same origin policy unless the server you're talking to explicitly authorizes such requests from web pages served from other hosts. What am I missing here?
Yes, you're right! If CORS is set up correctly then it shouldn't be a problem. But very many devs have over-permissive CORS in their "local" env.
On Sat, Jun 8, 2019 at 5:42 AM Curt J. Sampson [email protected] wrote:
Regarding, http://http.jameshfisher.com/2019/05/26/i-can-see-your-local-web-servers:
When I open up a server on my local network and try out your page, the JS console log gives me:
Access to fetch at 'http://192.168.0.1/' from origin ' http://http.jameshfisher.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
It seems to me that in all cases the requests you're talking about should be blocked from getting any data (beyond information that the port is open) by CORS https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS unless the server you're talking to explicitly authorizes such requests from web pages served from other hosts. What am I missing here?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jameshfisher/jameshfisher.com/issues/9?email_source=notifications&email_token=AABIYNR46VUBPZRHHTBGDS3PZM2EJA5CNFSM4HWDANVKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4GYLYMTQ, or mute the thread https://github.com/notifications/unsubscribe-auth/AABIYNTERAG5HWI3LVC2KYTPZM2EJANCNFSM4HWDANVA .
-- PM, Pusher Channels https://pusher.com/channels
But very many devs have over-permissive CORS in their "local" env.
Ah, right! That hadn't occurred to me, that of course some (perhaps even many) developers would feel that they could be sloppy about CORS on internal development servers because they're behind a firewall. That's a very good point. It's not something I would do myself, especially now that I understand the security ramifications of it, but I can certainly see the attraction of saving the effort.
I think it would be good, though, if you could explain this in your blog post. It does come across as "this is a always security hole" as opposed to "here's an interaction you may not have thought of that you need to be careful about."