Cross-Origin Resource Sharing (CORS) https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
What requests use CORS? This cross-origin sharing standard can enable cross-site HTTP requests for:
Web Fonts (for cross-domain font usage in @font-face within CSS), so that servers can deploy TrueType fonts that can only be loaded cross-site and used by web sites that are permitted to do so. WebGL textures. Images/video frames drawn to a canvas using drawImage(). CSS Shapes from images. Simple Requests Some requests don’t trigger a CORS preflight.
Intro SOP restricts how a document or script loaded from one origin can interact with resource from another origin (cross domain traffic)
Implemented in the Browser
Policies are applied in the Background without User interaction required
Restrict access to:
DOM Cookies WebStorage Local Storage Session Storage IndexedDB Restrict Components
Javascript API XMLhttpRequest (XHR), Fetch API Flash (t 2020) … Applets, Silverlight, XDomainRequest How it Works SOP = Protocol = https = Hostname = www.
What is a HTTP Cookie? https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with later requests to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.
Takeaway from http basics always send sensitive data over post (and not get request!) always send a redirect after sucessful login (so the data get’s flushed out of the client memory) always create a new session after sucessful login (Session Fixation) sha256: b98a2764ae1ac790fee3451f8e70f147420578c159d179332b8b29cbd7239e75