The browser by default does not allow cross-origin requests; these are all examples of sites specifically telling browsers that cross-origin requests should be allowed. The ability to permit certain cross-origin requests is incredibly useful and without it most services on the internet would break.
@@tuandane82 in theory if you're using an authorisation header containing an access token to authenticate, then misconfigured CORS isn't a huge concern because attempts to exploit the weak CORS policy will lack a valid token and therefore fail. That said, it's still good practice to think about what origins, methods etc. will reasonably need to access your service and configure the CORS headers accordingly.
@@8ytan Careful: browsers do not by default block all cross-origin requests, even those issued by a JavaScript-based client (e.g. fetch) and those carrying cookies.
what if Cookies are set to lax but Access Control Allow Credentials is being sent as true. As Lax does not allow cookies to be set in XHR requests. how will the cookies be sent?
@@somebody3014 Hey man, Lax settings are prioritised. Even if one condition is false, the cookies are not sent. So in my question cookies will not be sent as even Allow Credentials are true, Cookies are LAX (one true condition and one false) No cookies will be sent. Hope that clears the doubt.
The more I watch this man’s videos the more I respect him.
James is a legend thank you for this presentation
I smiled when I heard James' voice! love you man!
Great presentation and information!
This all seems more like an issue with the browser being all to happy to share secrets between sites rather than an issue with the sites themselves.
The browser by default does not allow cross-origin requests; these are all examples of sites specifically telling browsers that cross-origin requests should be allowed. The ability to permit certain cross-origin requests is incredibly useful and without it most services on the internet would break.
@@8ytan Does the CORS exploit work against the Authorization header as well, or only pass the session cookie?
@@tuandane82 in theory if you're using an authorisation header containing an access token to authenticate, then misconfigured CORS isn't a huge concern because attempts to exploit the weak CORS policy will lack a valid token and therefore fail. That said, it's still good practice to think about what origins, methods etc. will reasonably need to access your service and configure the CORS headers accordingly.
@@tuandane82 as far as i know , yes it works
@@8ytan Careful: browsers do not by default block all cross-origin requests, even those issued by a JavaScript-based client (e.g. fetch) and those carrying cookies.
Very well explained..
what if Cookies are set to lax but Access Control Allow Credentials is being sent as true. As Lax does not allow cookies to be set in XHR requests. how will the cookies be sent?
wondering about the same thing, did you find the answer?
@@somebody3014 Hey man, Lax settings are prioritised. Even if one condition is false, the cookies are not sent.
So in my question cookies will not be sent as even Allow Credentials are true, Cookies are LAX (one true condition and one false) No cookies will be sent.
Hope that clears the doubt.
Careful: SameSite=Lax cookies may be sent included in JavaScript-based requests that cross Web origins. Look up "The great SameSite confusion". 😉
Amazing work!
My favorite hacker
Amazing presentation. Thumbs up
Nice video
WILL BITCOIN GET ATTACKED ?? IN FUTURE OR EXPLOITS ?
Great.:)
21:47
Awesome
Zomato didn't reply because they are an Indian company.
They have always replied to me within hours! Surprised to see James getting ghosted , kinda weird, but it was 2017, maybe suff was different back then