Why is this an issue?

Having a permissive Cross-Origin Resource Sharing policy is security-sensitive. It has led in the past to the following vulnerabilities:

• CVE-2018-0269
• CVE-2017-14460

Same origin policy in browsers prevents, by default and for security-reasons, a javascript frontend to perform a cross-origin HTTP request to a resource that has a different origin (domain, protocol, or port) from its own. The requested target can append additional HTTP headers in response, called CORS, that act like directives for the browser and change the access control policy / relax the same origin policy.

How to fix it in Core PHP

• The Access-Control-Allow-Origin header should be set only for a trusted origin and for specific resources.
• Allow only selected, trusted domains in the Access-Control-Allow-Origin header. Prefer whitelisting domains over blacklisting or allowing any domain (do not use * wildcard nor blindly return the Origin header content without any checks).

Code Examples

Noncompliant Code Example

header("Access-Control-Allow-Origin: *"); // Noncompliant

Compliant Solution

header("Access-Control-Allow-Origin: $trusteddomain");

How to fix it in Laravel

• The Access-Control-Allow-Origin header should be set only for a trusted origin and for specific resources.
• Allow only selected, trusted domains in the Access-Control-Allow-Origin header. Prefer whitelisting domains over blacklisting or allowing any domain (do not use * wildcard nor blindly return the Origin header content without any checks).

Code Examples

Noncompliant Code Example

response()->header('Access-Control-Allow-Origin', "*"); // Noncompliant

Compliant Solution

response()->header('Access-Control-Allow-Origin', $trusteddomain);

How to fix it in Symfony

• The Access-Control-Allow-Origin header should be set only for a trusted origin and for specific resources.
• Allow only selected, trusted domains in the Access-Control-Allow-Origin header. Prefer whitelisting domains over blacklisting or allowing any domain (do not use * wildcard nor blindly return the Origin header content without any checks).

Code Examples

Noncompliant Code Example

use Symfony\Component\HttpFoundation\Response;

$response = new Response(
    'Content',
    Response::HTTP_OK,
    ['Access-Control-Allow-Origin' => '*'] // Noncompliant
);
$response->headers->set('Access-Control-Allow-Origin', '*'); // Noncompliant

User-controlled origin:

use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Request;

$origin = $request->headers->get('Origin');

$response->headers->set('Access-Control-Allow-Origin', $origin); // Noncompliant

Compliant Solution

use Symfony\Component\HttpFoundation\Response;

$response = new Response(
    'Content',
    Response::HTTP_OK,
    ['Access-Control-Allow-Origin' => $trusteddomain]
);

$response->headers->set('Access-Control-Allow-Origin', $trusteddomain);

User-controlled origin validated with an allow-list:

use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Request;

$origin = $request->headers->get('Origin');

if (in_array($origin, $trustedOrigins)) {
    $response->headers->set('Access-Control-Allow-Origin', $origin);
}

Resources

• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• OWASP - Top 10 2021 Category A7 - Identification and Authentication Failures
• developer.mozilla.org - CORS
• developer.mozilla.org - Same origin policy
• OWASP - Top 10 2017 Category A6 - Security Misconfiguration
• OWASP HTML5 Security Cheat Sheet - Cross Origin Resource Sharing
• CWE - CWE-346 - Origin Validation Error
• CWE - CWE-942 - Overly Permissive Cross-domain Whitelist