The sandbox features:
- Availability to test cross-origin requests using fetch1 with different settings:
- mode
- credentials
- headers
- methods
- content type
- Availability to test behaviour with sending cookie in cross-origin requests with different cookie settings:
- SameSite mode (None, Lax, Strict, Default)
- HttpOnly flag
- Secure flag
- Availability to test cross-origin requests and sending cookie behaviour with sending requests to:
- subdomains/different domains
- http/https
- server with allowed cross-origin requests/server with not allowed cross-origin requests
The result can be seen in the console log. Using tools like BurpSuite you can see real requests to the server with responses.
Add to etc hosts
127.0.0.1 allowing.cors.com
127.0.0.1 inallowing.cors.com
127.0.0.1 allowing.cors-another.com
127.0.0.1 inallowing.cors-another.com
127.0.0.1 origin.cors.comAdd certs.caroot.cer to trusted certificates
Run docker-compose
docker-compose upRun http servers
go run cmd/server/main.goOpen application
Go to http://origin.cors.com or https://origin.cors.com
If you need to test behavior without browser security policy you can run chrome in unsafe mode.
Close all chrome instances and run in terminal:
MacOS
open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trialsSee details here 2
Kali Linux
google-chrome --user-data-dir="~/google-chrome-data" --disable-web-securityGo to http://origin.cors.com or https://origin.cors.com
If you need to update certificates you can:
brew install mkcert
mkcert -installmove created certificate to nginx/certs folder
cd nginx/certs
mkcert "*.cors.com"
mkcert "*.cors-another.com"