Feature request: CORS testing

[legrego]

I know discussions are preferred here for feature requests, but GitHub did not allow me to create a new Discussion.

I was looking for a quick way to verify CORS for my web application. I wanted to see how my application would respond to various requests made from a different origin, to ensure that my resources were adequately protected.

For my specific use case, I wanted to see if it was possible for a cross-origin request to be made which included a custom header. This custom header provides a defense against CSRF attacks when properly configured (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#employing-custom-request-headers-for-ajaxapi)

[azasypkin]

Thank you for the issue, @legrego! That’s a great idea and definitely fits into the “Web Security” suite!

I know discussions are preferred here for feature requests, but GitHub did not allow me to create a new Discussion.

Ugh, I didn’t realize it needed to be explicitly allowed. It’s fixed now, and I’ll move this to discussions. Thanks for flagging it.

I was looking for a quick way to verify CORS for my web application. I wanted to see how my application would respond to various requests made from a different origin, to ensure that my resources were adequately protected.

Are you essentially looking to see the CORS-related headers your app returns whenever a specific endpoint is “preflighted” (input: remote endpoint, output: CORS response headers)?

Or are you looking for something that allows you to fully specify the details of a cross-origin request (origin, method, headers, etc.) and get a simple yes/no answer, with an explanation when the answer is no (e.g., which CORS directive is violated)? It'd still be possible to see the raw CORS response headers.

Or would you prefer something more flexible and advanced, such as an HTML editor that allows you to fully craft your “foreign-origin” page and directly interact with your app’s endpoint (possibly with a set of ready-to-use JS helper utilities)? It’ll probably require the same amount of effort from the user as crafting a local page themselves...

Or do you have something else in mind?

[legrego]

Are you essentially looking to see the CORS-related headers your app returns whenever a specific endpoint is “preflighted” (input: remote endpoint, output: CORS response headers)?
Or are you looking for something that allows you to fully specify the details of a cross-origin request (origin, method, headers, etc.) and get a simple yes/no answer, with an explanation when the answer is no (e.g., which CORS directive is violated)? It'd still be possible to see the raw CORS response headers.

@azasypkin I could imagine a combination of these two features being useful.

For a user who is unfamiliar with CORS, it might be useful to see, for a given resource:

1. What is permitted/denied in a cross-origin context
2. Why it's permitted/denied (e.g., this is a "safe" GET request, or it's explicitly allowed/disallowed via CORS headers, etc)
3. What to change if you wish to allow/deny sharing of the resource

For my specific needs, I am more interested in quickly testing a CORS request, and getting a quick yes/no answer.

Or would you prefer something more flexible and advanced, such as an HTML editor that allows you to fully craft your “foreign-origin” page and directly interact with your app’s endpoint (possibly with a set of ready-to-use JS helper utilities)? It’ll probably require the same amount of effort from the user as crafting a local page themselves...

I don't have a real need for this.