I understand the purpose of the Access-Control-Allow-Credentials headerpurpose of the Access-Control-Allow-Credentials header, but can't see what problem the Access-Control-Allow-Origin header solves.
More precisely, it's easy to see how, if cross-domain AJAX requests with credentials were permitted by default, or if some server were spitting out Access-Control-Allow-Credentials headers on every request, CSRF attacks would be made possible that could not otherwise be performed. The attack method in this scenario would be simple:
- Lure an unsuspecting user to my malicious page.
- JavaScript on my malicious page sends an AJAX request - with cookies - to some page of a target site.
- JavaScript on my malicious page parses the response to the AJAX request, and extracts the CSRF token from it.
- JavaScript on my malicious page uses any means - either AJAX or a traditional vessel for a CSRF request, like a form POST - to perform actions using the combination of the user's cookies and their stolen CSRF token.
However, what I can't see is what purpose is served by not allowing uncredentialed cross-domain AJAX requests without an Access-Control-Allow-Origin header. Suppose I were to create a browser that behaved as though every HTTP response it ever received contained
Access-Control-Allow-Origin: *
but still required an appropriate Access-Control-Allow-Credentials header before sending cookies with cross-domain AJAX requests.
Since CSRF tokens have to be tied to individual users (i.e. to individual session cookies), the response to an uncredentialed AJAX request would not expose any CSRF tokens. So what method of attack - if any - would the hypothetical browser described above be exposing its users to?
