Cross-origin resource sharing

Cross-origin resource sharing (CORS) occurs when a script on one server sends an Ajax request to another server. Cross-origin resource sharing also occurs when a request is sent on a different protocol or port to the same server.

Cross-origin resource sharing violates the 'same origin policy', which is in place to prevent cross-site request forgery attacks. While the global prevention of cookies for /api/* endpoints avoids these attacks, browsers still attempt to enforce this policy. All browsers use this convention but it does not apply to manual request mechanisms like cURL.

Browsers detect that you are attempting to make a request to a server, and initially send a preflight request. Preflight requests are set as an OPTION request against the same URL, but also contain the Origin header. The server must send back other information such as allowed request types, whether to expect headers in the actual request's response, and whether the origin is accepted.

If the 'Access-Control-Allow-Origin' header of the response of the preflight request does not match the Origin header of the request, the browser rejects it. If the 'Access-Control-Allow-Origin' header matches, the browser proceeds with the request. The request's response must pass the same origin check, in case the rule changes between the preflight and actual request.

Management of allowed origins

The origin value that is sent by your browser contains the protocol followed by the host name and port, for example:

http://192.0.2.0:8888

You can intercept requests sent by your browser to ensure that you have the correct origin value. You can add your origin to a whitelist on the QRadar® Console in the /opt/qradar/webapps/console/restapi/allowed_origins.list file. Changes are detected and take effect immediately. This file contains a newline separated list of allowed origins. Each entry is tested against the origin header that is sent by browsers during pre-flight requests. If an entry matches the origin (or any entry is '*'), the browser is allowed to make cross-origin resource sharing requests.

A common browser convention is to send null as the origin when the script is started from file:// by adding '*' to the whitelist. This practice allows all origins and is not a good practice.