Adding localhost as an allowed origin in the backend code is not less secure.
About CORS
CORs is designed as an additional layer of authorization which weakens read access to resources between and within browsers. Using an alternative technology like native HTTP calls bypasses all the security protocols provided by the web browser (eg CORS, CSP) and still leaves you open to XSS (Cross Site Scripting Attacks).
CORS is designed to prevent other websites (within the browser context only) using your APIs. It's worth noting that this is for a browser context only, you can simple call your API from an application, there is no security here. It just a restriction on resource sharing with browsers that prevents read access to a resource (which also happens to prevent a form of cross site scripting (XSS) attack using cookies).
Having given the concept that CORS does not provide any additional security when talking about API access, this means that that allowing a particular domain like localhost does not make your API less secure.
What about XSS?
An XSS attack is achieved by executing malicious javascript from your app or from a site that can talk to your app. It can be mitigated by Angular and React through sanitization (see here) and by Vue if you use an external library. If you render content from someone else's website you can mitigate XSS attacks through a good CSP. So, Sanitization and Content Security Policies are your best defense against stored, reflected and dom based XSS attacks. Adding CORs to further restrict domains to localhost and same origin helps as a it prevents a subset of exploits.
Some good links for research:
https://www.acunetix.com/blog/articles/dom-xss-explained/
https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3
Comments
0 comments
Please sign in to leave a comment.