Does a proper CORS setup prevent CSRF attack?

cors same-origin-policy csrf websecurity

If CORS is properly setup on a server to only allow a certain origins to access the server,

Is this enough to prevent CSRF attacks?


To be more specific, it is easy to make the mistake of thinking that if evil.com cannot make a request to good.com due to CORS then CSRF is prevented. There are two problems being overlooked, however:

  1. CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.com make a request to good.com. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that.

  2. Is it easy to overlook the fact that CORS is only for JS request. A regular form on evil.com that POSTs back to good.com will still work despite CORS.

For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.


No!

CORS enables sharing between two domains where XSRF is attacking method that does not depend on CORS in anyway.

I don't understand what you mean by "CORS is properly setup" but when attacking with XSRF, browser don't ask for CORS headers on server.

CORS is not security :)

Related

Allowing the this reference to escape
How can I set a deeply nested value in Immutable.js?
Can I force CloudFormation to delete non-empty S3 Bucket?
Your repository has no remotes configured to push to
How are primitive data types made in C#?
Unbound breakpoint - VS Code | Chrome | Angular
Tracking report usage
What is the best 32bit hash function for short strings (tag names)?
using ILMerge with .NET 4 libraries
Can a destructor be recursive?
Unpacking argument lists for ellipsis in R
How to reduce Seq[Either[A,B]] to Either[A,Seq[B]]?