Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5122

Having a permissive Cross-Origin Resource Sharing policy is security-sensitive

    Details

    • Message:
      Make sure this permissive CORS policy is safe here.
    • Highlighting:
      Hide

      The HTTP header, configuration option or code enabling CORS

      Show
      The HTTP header, configuration option or code enabling CORS
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C#, Go, PHP, Ruby, Scala, VB.Net
    • Covered Languages:
      Java, JavaScript, Python, TypeScript
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-346, CWE-942
    • OWASP:
      A6
    • SANS Top 25:
      Porous Defenses

      Description

      Having a permissive Cross-Origin Resource Sharing policy is security-sensitive. It has led in the past to the following vulnerabilities:

      Same origin policy in browsers prevents, by default and for security-reasons, a javascript frontend to perform a cross-origin HTTP request to a resource that has a different origin (domain, protocol, or port) from its own. The requested target can append additional HTTP headers in response, called CORS, that act like directives for the browser and change the access control policy / relax the same origin policy.

      Ask Yourself Whether

      • You don't trust the origin specified, example: Access-Control-Allow-Origin: untrustedwebsite.com.
      • Access control policy is entirely disabled: Access-Control-Allow-Origin: *
      • You access control policy is dynamically defined by a user-controlled input like origin header.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • The Access-Control-Allow-Origin header should be set only for a trusted origin and for specific resources.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5123 Language-Specification Active Unassigned
          2.
          C# RSPEC-5124 Language-Specification Active Unassigned
          3.
          JavaScript RSPEC-5125 Language-Specification Active Unassigned
          4.
          VB.NET RSPEC-5126 Language-Specification Active Unassigned
          5.
          PHP RSPEC-5127 Language-Specification Active Unassigned
          6.
          XML RSPEC-5218 Language-Specification Active Unassigned
          7.
          Python RSPEC-5610 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                lars.svensson Lars Svensson (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: