CORS (Cross-Origin Resource Sharing)

CORS (Cross-Origin Resource Sharing, W3C) est le mécanisme browser permettant à un site (origin A) d'autoriser explicitly un autre site (origin B) à faire requêtes JS vers ses ressources, contournant la Same-Origin Policy par default. Critical pour APIs publiques, SPAs, microservices.

Same-Origin Policy rappel : par défaut, JavaScript ne peut pas faire requêtes vers autre origin (origin = scheme + domain + port). Empêche site malveillant lire data d'autres sites où user logged in.

CORS workflow :
(1) **Simple request** (GET, POST avec text/plain ou form, no custom headers) : browser envoie request avec `Origin: https://app.example.com`. Server répond avec `Access-Control-Allow-Origin: https://app.example.com`. Si match → browser autorise. Si différent → browser block response (request still sent !).

(2) **Preflight request** (custom headers, PUT/DELETE, Content-Type=application/json) : browser FIRST send OPTIONS request avec `Access-Control-Request-Method`, `Access-Control-Request-Headers`. Server répond avec allowed methods/headers/origin. Si OK → browser send actual request.

Headers côté server :
(1) **Access-Control-Allow-Origin** — origin allowed (specific OR `*` for fully public APIs ; cannot be `*` if credentials).
(2) **Access-Control-Allow-Methods** — HTTP methods allowed.
(3) **Access-Control-Allow-Headers** — request headers allowed.
(4) **Access-Control-Allow-Credentials** — true pour envoyer cookies/auth headers cross-origin.
(5) **Access-Control-Max-Age** — preflight cache duration.
(6) **Access-Control-Expose-Headers** — response headers visible to JS.

Exemple Node.js Express avec cors package :
```javascript
app.use(cors({
origin: ['https://app.example.com', 'https://admin.example.com'],
credentials: true,
methods: ['GET', 'POST', 'PUT', 'DELETE'],
allowedHeaders: ['Content-Type', 'Authorization']
}));
```

Pièges courants :
(1) **`Access-Control-Allow-Origin: *` AND credentials** — combo invalid, browser block. Must specify exact origin if credentials.
(2) **Reflecting Origin** sans validation — `res.setHeader('Access-Control-Allow-Origin', req.headers.origin)` — dangerous, allows any site CORS access. Always whitelist.
(3) **Preflight non géré** — server returns 200 with allow headers, MUST handle OPTIONS method.
(4) **Confusion CORS vs CSRF** — CORS = read protection (JS can't read response), CSRF = write protection (form submit cross-site can still happen).
(5) **Server-side CORS misconfigurations** = vulnerabilités classiques (overly permissive policies leak data).

CORS misconfigs commun pentested : `Access-Control-Allow-Origin: null`, regex bypasses, allow subdomain wildcard exploitable. Compétences Security+, CISSP, OSCP.