The CORS Demos

Thurs 5th March 20

On a recent test, I had to do some work on what turned out to be a badly configured CORS policy. Seeing as I hadn't dug into CORS in a while, it took me a bit of reading to remember what response headers meant what, and what situations were affected by those headers.

I spoke to a few people who said they had the same problem, so I decided to put together this set of demos where I've tried to document and demonstrate each of the different situations. Hopefully this will help us all remember next time.

If you think I've missed anything, or want something extra adding, get in touch.

Play the CORS Demos.

References

Some useful reference material to help further research.

Using CORS - An old page from HTML5Rocks that explains CORS and XMLHttpRequest.
CORS Tutorial: A Guide to Cross-Origin Resource Sharing - A guide to CORS by Auth0.
Exploiting CORS misconfigurations for Bitcoins and bounties - A blog and video about exploiting CORS by James Kettle from PortSwigger.
To CORS, the cause of and solution to your SPA problems by Tim lanmaster53 Tomes and Kevin Cody
CORB Explainer - An intro to CORB by Google.
Various headers used by CORS

Recent Archive

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work you can do so by using the affiliate links below where I either get account credits or cash back. Usually only pennies, but they all add up.

Buy me a smoothie