143

From my perspective, the technologies referred to as Cross-Origin Resource Sharing (CORS) and Content Security Policies (CSPs) seem to be very similar in purpose and implementation.

Both seem to allow you to whitelist the origins of resources which an uncompromised version of your webpage incorporates, via HTTP response headers. The only difference I can see is that CSPs seem to be more fine-grained in what you can approve in your HTTP response.

Improve this question

6 Answers 6

Reset to default
156

CORS allows the Same Origin Policy to be relaxed for a domain.

e.g. normally if the user logs into both example.com and example.org, the Same Origin Policy prevents example.com from making an AJAX request to example.org/current_user/full_user_details and gaining access to the response.

This is the default policy of the web and prevents the user's data from being leaked when logged into multiple sites at the same time.

Now with CORS, example.org could set a policy to say it will allow the origin https://example.com to read responses made by AJAX. This would be done if both example.com and example.org are ran by the same company and data sharing between the origins is to be allowed in the user's browser. It only affects the client-side of things, not the server-side.

CSPs on the other hand set a policy of what content can run on the current site. For example, if JavaScript can be executed inline, or which domains .js files can be loaded from. This can be beneficial to act as another line of defence against XSS attacks, where the attacker will try and inject script into the HTML page. Normally output would be encoded, however say the developer had forgotten only on one output field. Because the policy is preventing in-line script from executing, the attack is thwarted.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Much clearer and to the point than all mozilla/html5rocks/w3c documents together. Thx.
That's not quite true - The Same Origin Policy will not prevent the AJAX request by default. It will only prevent the browser from accessing the result of the operation. Also, CORS can do more than just relax SOP. It can also further restrict - e.g. when "*" is used as the "Access-Control-Allow-Origin" header, the browser will not send cookies and it will pre-flight certain requests.
@Veita That's what I meant by and gaining access to the response, the and is key here. I also clarify this further on: it will allow the origin https://example.com to read responses made by AJAX
@veita Adding the header doesn't cause any extra preflights, this is in the hands of the code on the calling domain. Whether cookies are sent are also under control of the calling site (and the browser ofc), eg. withCredentials. Non-CORS requests (ie. Those that could be sent via HTML only), send cookies as normal. Think about it, by the time the browser has read the headers it's too late, cookies have already been sent.
Ah good point about the and in your initial response. As for my comment regarding pre-flight - I meant the CORS standard itself introduces that, not a particular header. For example, now that we have the CORS standard, certain requests will pre-flight before initiating the request. If the server responds with "Access-Control-Allow-Origin: *", the client will not send the request (nor the cookies) when it otherwise would have in a pre-cors era. My point being, the CORS standard seems to do more than relax SOP, as it prevents a request that would have initiated otherwise.
|
132

CORS allows a site A to give permission to site B to read (potentially private) data from site A (using the visitor's browser and credentials).

CSP allows a site to prevent itself from loading (potentially malicious) content from unexpected sources (e.g. as a defence against XSS).

Improve this answer

13 Comments

can CSP be used on site A to prevent site A from reading data from site B? I am talking mainly about xhr requests.
@mathk — No. As I said in the answer, they are completely different things.
I mean if you do not allow the browser to download content from site B you will also guaranty that nothing will be sent to site B using CSP ?
@mathk — Site A preventing data being sent to Site B (which can be achieved with CSP) is completely different to Site B preventing Site A from reading data from it (which is the default behaviour but which can be relaxed with CORS).
When folks say these things are "completely different" that just makes the differences harder to understand because they aren't completely different. Same-origin policy (to which CORS is closely related) prevents reading cross-origin requests, the most common way a developer would come into contact with this policy. Likewise, one of the most common ways a developer would come into contact with CSP is because it is blocking cross-origin requests, e.g., in a greasemonkey script.
|
59

@JodySowald's comment, which I find more succinct:

Content-Security-Policy prevents calls to external resources and Cross-Origin-Resource-Sharing prevents calls from external sources. To provide an example. For example.com to show example.net in an iframe, example.com must not block example.net with its CSP settings and example.net must not block example.com with its CORS settings.

Original answer:

None of the answers above give a clear and concise difference between CSP and CORS. Here is my way of thinking about them:

Let's say we have example.com website that wants to send a request to example.net.

  1. When user visits example.com in browser, example.com server returns example.com HTTP response, CSP restriction within this response can prevent example.com in browser from issuing request to example.net.
  2. If there is no CSP restriction within example.com HTTP response, then example.com in browser can send a request to example.net.
  3. Upon receiving the request, example.net server responds with example.net HTTP response, CORS restriction within this response can prevent example.com in browser from loading it. (Note that by default, Same-origin policy will restrict the response from loading, unless otherwise specified by CORS)

So CSP protects example.com and same-origin policy (the lack of CORS) protects example.net in the example above.

Improve this answer

4 Comments

In this example, wouldn't the Same Origin policy protect def.net, whereas CORS removes this protection if enabled?
@Steve you are right, it's kind of a misnomer, I've updated my answer to reflect it.
Is it a correct simplification to say that Content-Security-Policy prevents calls to external resources and Cross-Origin-Resource-Sharing prevents calls from external sources? to provide an example. For abc.com to show def.net in an iframe, abc.com must not block def.net with its CSP settings and def.net must not block abc.com with its CORS settings.
@JodySowald that would seem fitting.
5

CORS checks with the third party for authorization to use its services. So, the third party provides or denies authorization.

So for example if a page in www.example.com needs to make a request to www.example.org, the browser sends an OPTIONS request with Origin: www.example.com as a precursor to request for authorization. Now, www.example.org provides or denies authorization.

CSP prevents a webpage from inadvertently loading malicious content from a third party by specifying where a particular type of content can be loaded from. So, for example you can provide a valid source for each of the following scripts, css, media etc. by using directives

Example:

Content-Security-Policy: default-src 'none'; script-src 'self' www.google-analytics.com ajax.googleapis.com; connect-src 'self'; img-src 'self'; style-src 'self';
Improve this answer

Comments

5

In simple language.

  • CSP: I will not ask you.

  • CORS: I will not give you.

CSP (Content Security Policy)

In CSP, a site will only call or load resources from the sites specified in its CSP. Even if the other site is ready to respond, the site won't call them if they are not listed in the CSP. CSP is to prevent calls to external resources This is designed to prevent a website from loading potentially malicious content from untrusted sources.

Example: If you open facebook.com and CSP is set to facebook.com, it will not call twitter.com or any other site.

Content-Security-Policy: default-src facebook.com

It can also be set in the HTML meta tag.

<meta
  http-equiv="Content-Security-Policy"
  content="default-src https://facebook.com"/>

If this policy is set and the site makes call to other site then browser will block it with blocked:csp error.

CORS (Cross-Origin Resource Sharing)

In CORS, a site can make calls to other sites, but the other site will only respond if the requesting site is allowed by its CORS policy. CORS is to prevent calls from external sources. This prevents a site from sharing data with untrusted origins.

Example: If you open facebook.com with no CSP set, facebook.com can make calls to twitter.com. However, twitter.com will not respond unless facebook.com is allowed by its CORS policy.

Access-Control-Allow-Origin: https://twitter.com

If this policy is set and the site make call to other site then browser will block it with CORS error.

Both CSP and CORS are enforced at the browser level.

You can still make calls using tools like cURL, but the browser will block such requests based on these policies.

Technical details:

  • CSP Info Source: The browser gets CSP information from the server of the site being loaded or from the HTML meta tag. If the other site is not in the CSP list, the browser blocks the call.

  • CORS Preflight Request: The browser makes a preflight request to check if the other site has the appropriate CORS settings. If the requesting site is not in the allowed list, the browser blocks the call.

Improve this answer

Comments

1

Cross-Origin Resource Sharing (CORS)

A response header that tells the browser to only allow specific sources access to your content, e.g.:

Access-Control-Allow-Origin: https://onlinebanking.example.com

CORS was invented in 2004 and won't stop your content from talking to strangers and using replies for *, so since 2013 we have:

Content Security Policy (CSP)

A response header that tells the browser to only allow specific sources to be accessed from the content:

Content-Security-Policy: default-src https://onlinebanking.example.com

That can also be set or tightened via HTML:

<meta
  http-equiv="Content-Security-Policy"
  content="default-src https://onlinebanking.example.com" />
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.