Is my website vulnerable if I use Access-Control-Allow-Origin * for a section?



  • I have a map (openlayers) which is integrated in a website made on wordpress. So, the wordpress has almost nothing to do with the map. The map is only included in an article.

    The wordpress site is on www.example.com. The map is on mymap.example.com

    In some article from www.example.com:

    <script src="https://mymap.example.com/public/js/map.js"></script>
    <div data-map="true"></div>
    

    The map.js script includes a json file generated with PHP on https://mymap.example.com/ subdomain.

    My problem is that I want to let my visitors to be able to use the map, but they are unable because the json file is blocked by CORS policy.

    As the JSON file is created by PHP, the solution seems to be to set header Access-Control-Allow-Origin: *, just for this file.

    The question is:

    Do I get vulnerable if I do this ? Would that be a hole for the wordpress site ?

    If the answer is yes, can you give me an example ?



  • This question has an answer here:

    https://stackoverflow.com/questions/12001269/what-are-the-security-risks-of-setting-access-control-allow-origin

    In short, it allows any website to make calls to your API throught your client's device. If your client enters malicious page and his browser executes the page's malicious JavaScript, then his browser can make malicious requests to your API, and your API won't know the difference. But if your API is not providing any sensitive/secret information (as I think is the case here) then it doesn't matter.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2