The same-origin policy prevents web application frontends from loading resources that come from different domains, protocols, or cross-origin resource sharing (CORS) policies that relax this restriction. CORS policies that are too permissive could lead to loading content from untrusted or malicious sources.
1var express = require("express")
2var app = express()
3function insecureCorsPolicyNoncompliant() {
4 app.post('/users', function (req, res) {
5 const origin = req.query.origin
6 // Noncompliant: the Access-Control-Allow-Origin header is set to user-controlled any domain.
7 res.set(200, {'Access-Control-Allow-Origin': origin })
8 })
9}
1var express = require("express")
2var app = express()
3function insecureCorsPolicyCompliant() {
4 app.post('/users', function (req, res) {
5 // Compliant: the Access-Control-Allow-Origin header is set to allow only a specific list of trusted domains.
6 res.set(200, {'Access-Control-Allow-Origin': 'trustedsite.com' })
7 })
8}