In answer to your second question (If a CORS enabled server sets a session_token through a cookie…?), the cookie is saved under the domain of the CORS server. The main web page’s JS code can’t access the cookie, even via document.cookie
. The cookie is only sent to the server when the .withCredentials
property is set, and even then, it is only accepted when the server sets the Access-Control-Allow-Credentials
header.
Your first question is a little more open ended. It is fairly secure, but there are ways to circumvent things. For example, an attacker could use a DNS poisoning technique to cause a preflight request to hit the actual server, but send the actual CORS request to the rogue server. Here are some more resources on CORS security:
- http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
- owasp.org CORS CheatSheet
Lastly, your concern is around giving any website access to your CORS data. In order to protect against this, you should not use the Access-Control-Allow-Origin: *
header. Instead, you should echo back the user’s Origin value. For example:
Access-Control-Allow-Origin: http://www.example.com
This header will allow only http://www.example.com
to access the response data.