CORS Multi-site

Hello,

I have one newsletter that spans multiple website domains and would like to enable AJAX subscriptions on those websites.

I can do that by setting:

define('ACCESS_CONTROL_ALLOW_ORIGIN', '*');

However, I would like to know:

  1. Does wildcarding pose a security risk?
  2. Alternatively, is there a way to list multiple domains instead of having to wildcard them? Traditionally CORS does not allow comma separate values unless phpList is doing something fancy.

Thank you

@simm Did you find answers to your questions? If not, @michiel may be able to advise.

Nope, still wondering about this. Thank you.

Yes, the wildcard does open it up, and basically renders this security mechanism useless. If you want to be safe, you will need to add some logic behind it. You check the referrer, verify it is one of the sites you allow and then send it back as the allow-origin. I’m not sure it can be done with multiple domains in one header. I’ve never done it, so I can’t share experience here.

Thanks!

Yes, this is my understanding as well – from the first post link, it appears CORS does not directly support multiple sites.

However, I imagine it is quite common that many users would like to be able to use one phpList install across multiple domains. So I worry that a number of installs have set it to wildcard and are now at risk.

But after thinking through the problem, the attacks seem relatively esoteric. It would be a much bigger risk if the admin interface applied ACCESS_CONTROL_ALLOW_ORIGIN, but that’s only applied to the end user interface. Those pages don’t expose end users e-mail addresses in plaintext (and not without the UID either). So any potential attacker would already need to know the user’s e-mail address, which is possible, but at that point CORS doesn’t become the limiting factor as there are workarounds.

That said, it would be great if phpList could handle multiple whitelisted sites for CORS, but given how minimal the attacks are, it does not seem like a risk in practicality to me. What do you think?