JavaScript : Unsafe cross-origin resource sharing (CORS) policy
Classification
OWASP Top 10 2013 A5-Security Misconfiguration OWASP Top 10 2017 A5-Broken Access Control A6-Security Misconfiguration OWASP Top 10 2021 A1-Broken Access Control A5-Security Misconfiguration A4-Insecure Design A8-Software and Data Integrity Failures OWASP ASVS Configuration Configuration CWE CWE-183 CWE-345 CWE-346 CWE-451 CWE-942 CWE-1031Overview
Insecure CORS configuration may lead to the data being compromised.
CORS (Cross Origin Resource Policy) is a defined in the HTML5 standard mechanism that enables JavaScript code to work with data from another domain. CORS parameters must be defined in the Access-Control-Allow-Origin
HTTP header.
CORS parameter that was defined not precisely enough may lead to the application data being compromised.