HTML5 cross-origin resource sharing

Issue:  HTML5 cross-origin resource sharing Host:  https://staging.factlink.com Path:  /about Issue detail The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request which allows access from any domain. Allowing access from all domains means that any domain can perform two-way interaction with the application via this request. Unless the response consists only of unprotected public content, this policy is likely to present a security risk. Request GET /about HTTP/1.1 Host: staging.factlink.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Response HTTP/1.1 200 OK Server: cloudflare-nginx Date: Tue, 27 May 2014 07:33:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Access-Control-Allow-Origin: * Access-Control-Request-Origin: * Cache-Control: max-age=0, private, must-revalidate Etag: "795aedd001353f0d22d06464c9bed415" Set-Cookie: _FactlinkUI_session=MGovQUM2eEgwMGVpOXNlQ3VGUkhjM25qbUNNL1IraEZyWDJqNWZrS00xS3pLV0g4N2NzZGVJdml1ejVYNDZMQU9Ma1hiR2JMQ0orOXk0VzV5UTlsdzVMQytwTlJTbGFlbE9ZYUZGQzUrbVFEWEVYWkF2eHI4TU1pUTdMR3M2d2tnUE5oeWxub2J1L1ZpenRuNDBOaDNUMDl5ekhiNjQ3NXpZRUdnZG5qZmZaK2IwZ0xWQUU1eE55bDVuRmJXRWJKLS1oN0kzUHlERktoeDg1aVJrWlEyVnRBPT0%3D--28d1f4b8b8449a1d786d9e04d9ceceda18c13c98; path=/; secure; HttpOnly Status: 200 OK Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Request-Id: e979123f-857c-4a4d-b798-e60b959206ba X-Runtime: 0.055909 X-Xss-Protection: 1; mode=block CF-RAY: 1310866ffa7203ac-SIN Content-Length: 10091 Issue background The HTML5 cross-origin resource sharing policy controls whether and how content running on other domains can perform two-way interaction with the domain which publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially retrieve content from the application, and sometimes carry out actions within the security context of the logged in user. Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access. Issue remediation You should review the domains which are allowed by the CORS policy in relation to any sensitive content within the application, and determine whether it is appropriate for the application to trust both the intentions and security posture of those domains.