Cross-Origin Resource Sharing (CORS) - am I missing something here?

Question

I was reading about CORS and I think the implementation is both simple and effective.

However, unless I\'m missing something, I think there\'s a big part missing from th

Answer 1

I also checked out the official CORS spec and could not find any mention of this issue.

Right. The CORS specification is solving a completely different problem. You're mistaken that it makes the problem worse - it makes the problem neither better nor worse, because once a malicious script is running on your page it can already send the data anywhere.

The good news, though, is that there is a widely-implemented specification that addresses this problem: the Content-Security-Policy. It allows you to instruct the browser to place limits on what your page can do.

For example, you can tell the browser not to execute any inline scripts, which will immediately defeat many XSS attacks. Or—as you've requested here—you can explicitly tell the browser which domains the page is allowed to contact.