As already explained, when CORS is enabled, a web browser is allowed to load resources
from origins (hosts) that are different from the origin of the initial user's request
(the host which appears in the browser's address bar).
Exploitation example 1
You browse the web page of your bank https://www.mybank.example
(which you clearly trust
to some extent, since you opened an account with them) in order to log into your online
Unfortunately, your bank has decided to use CORS for parts of its website and because of
that their website, loads images or scripts from other third-party hosts (that they trust
or that they use for economic convenience) using CORS.
The external provider of images, scripts or HTML code does not necessarily follow the
same security standards followed by your bank (or it is just about to go bankrupt and
therefore it urgently needs cash).
harmful code: the latter is extremely easy to embed into a digital image by exploiting, for
example, widespread "buffer overflow"
The result is that after pointing your web browser to your bank https://www.mybank.example
website you have loaded not only the trusted code supplied by your bank, but also harmful
from, say https://www.evilprovider.example
, resulting in a crash of your online
banking session and eventually in the compromise of sensitive data
Exploitation example 2
You browse the web page of an "embarassing" website https://www.embarassing.example
makes you laugh and have good fun, and you have been trusting the website maintainers over
the years for being respectful of visitors' privacy.
Unfortunately, your favourite embarassing website has recently signed a business agreement
to deliver videos using a so-called Content Delivery Network (CDN) which possibly has not
the same respect of the privacy of visitors as the real https://www.embarassing.example
The result is that every time that you point your browser to https://www.embarassing.example
your IP (Internet Procotol) address is logged not only onto the website that you intended
to visit, but also onto the host of the malicious Content Delivery Network
: so your
Internet browsing privacy is lost!
Exploitation example 3
For many applications, a parallel can be made between the Cross-Origin Resource Sharing in
computer security and the abstract concept of "externalization of security
) is by definition the act of delegating
something to somebody else. For a business, externalization of computer security
outsourcing of computer security
) means delegating the protection and confidentiality
of critical or confidential information and data to other business entities in exchange for
money, through a free-market agreement.
However, information security or computer security is critical
to most business organizations
and persons, so the act of externalizing (or outsourcing) it necessarily implies a critical
dependency on another (external) organization and therefore it might conduct to a critical
loss of security, should the external organization fail or breach the agreement.
Also consider that, once an organization has agreed to outsource part of its data processing,
usually nothing prevents its most dangerous form, namely multi-level
, from taking place.
Therefore, in most cases, including in particular information or computer security,
the act of externalizing or outsourcing information and computer security generally implies
an extremely high risk of loosing all security (externalization of information
security will always tend to having no security in place at all
This example can often be related to the so-called "decentralized Ponzi schemes
well as to the so-called "Pyramid schemes
", both of which are well known fraud schemes.
The conclusion is that, exactly as it usually happens in real life, trust is not a
: you do not normally trust yuor friends' acquaintances and
sometimes not even your son's new girlfriend, until you get to know them a little
This is the reason why you should not in general trust CORS to load resources that
you have not explicitly requested
Future global networks will need to be fully decentralized and fully symmetric
for maximum reliability and maximum security for all participants !