CORS and CSP

Notes on two kinda similar-sounding concepts.

• CSP is about which origins you allow yourself to use resources from.
• CORS is about which origins are allowed to use resources from you.

Both have to be understood in context of the same-origin policy, by which browsers protect resources from different origins from being able to interact too much with each other.

Content Security Policy (CSP)

Content Security Policy (CSP) is a means of locking down which origins your site is allowed to use third party resources from. Its main purpose is to prevent XSS attacks, i.e. those in which your site is tricked into executing malicious third-party code in the context of your origin.

Your CSP is specified by the Content-Security-Policy HTTP header.

Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) is a means of relaxing the same-origin policy for other origins. It’s about which origins can use resources from you.

Preflight requests

Preflight requests in CORS are a measure to protect older applications that aren’t aware of CORS, and which might be (incorrectly) assuming that same-origin policy protects against the kinds of potentially-dangerous requests that CORS makes possible. It makes sure that allowing this kind of request is opt-in.

Resources

• Demystifying SOP and CSP
• What is the motivation behind the introduction of preflight CORS requests?