No (*). When the browser is sending AJAX requests to a service, it will send all cookies related to the service domain. To protect the scenario where you browse to http://site.malvado.com/
, and the site sends a DELETE (or POST, or PUT) to http://seu.banco.com/contas
, if the site uses a simple authentication mechanism based on the presence of a user's cookie, then the site will erase your accounts. To prevent this type of attack, when a (modern) browser is sending requests to a domain other than that of the page, it follows the CORS protocol , which requires an OPTIONS request. If the server is aware of the possibility of such attacks (ie does not use a form of authentication that is vulnerable), then it will enable CORS and will know how to respond to OPTIONS requests. If the service does not accept OPTIONS then it may not be ready to handle cross-domain attacks.
(*) However, there are situations where you want to override this restriction. Some options:
- Using a proxy in the same domain as your page : Your page requests a service in the application. Because the domain is the same as the page, the CORS constraint does not exist. The browser will send cookies from your domain , and your code on the server (e.g., PHP, C #) can make the request to the final service. Note that you will not have any cookies from that domain, which "saves" the attack service
- Use of some plug-in in the browser: depending on the implementation of the plug-in it can have access to all cookies, and in its implementation, it has no CORS restriction. But this solution requires the user to install the plug-in on their machine, which greatly limits their use.