Does CORS and XSS have any connection?

Question

Cross-site scripting (XSS) is mentioned in the Wikipedia page for CORS. But I don\'t see how they are related. What\'s the connection between CORS and XSS?

Answer 1

https://www.e-systems.tech/documents/20143/30947/main.pdf

Yes, they are extremely connected. I was researching the matter when I came across this unanswered thread. Basically, it should not be a problem for small, simple and public content.

But, as integration through CORS increases in more interactive and complex applications, XSS can be used on a vulnerable system to attack our system. For example a worm propagating itself though XSS can use the vulnerable system just as a delivery mechanism, however, its target can be our system.

On my research I found that CORS will lead to problems with the most common vulnerabilities, especially with hybrid and multilevel attacks; pairs like XSS-CSRF.

Without discussing further all my findings(it was a big paper), if you really want to integrate systems through CORS, vulnerabilities assessments should be made on all partners involved on resource sharing. Depending on the applications domain, if sensitive data is involved, legal concerns will emerge(e.g., who is responsible if a breach occurs.). (the complexity is rarely justifiable).

To use CORS correctly on complex systems, a security professional should be involved. And if the system is to grow with several partners and policies for diverse resources, security should be embedded on the architecture to validate constrains dynamically.

It seems to be clear that for day-to-day use, CORS should be used on limited applications, without sensitive data or with only truly public resources, unless you really trust your partners' security - and implement all the configuration correctly. This is valid if you are building server side architectures, but the other way around is also true, as one will need to trust the content that is to be added on the client side.