Cross-origin resource sharing can be considered as one of the attacks that the website application server vulnerabilities. Normally, it will enable any controlled access to the bug located where it will run the Cross-origin rules such as Access-Cross-Allow-Origin:
However, this will affect if CORS is been misconfigured and wrong implemented on the website application or server will alert the attacker of the potential of the website vulnerabilities.
Nowadays, CORS will only allow the credential request as long as the request is been permitted by the browser. However, the Samesite request will not be sent even though CORS has to allow the third domain to access.
Vulnerabilities that will be arising from CORS will be Access-Cross-Allow-Origin where will be generated by a client-specified header. This vulnerability can be verified by reading the Origin header whenever you access a vulnerabilities website.
An example of the request will be included Origin:
Once the attacker notices that the website is responding with Acces-Cross-Allow-Origin, they can use any domain to access the vulnerability domain. If the response contains any privacy details or any sensitive such as API KEY(X-API-KEY: