Feature request: CORS testing

[legrego]

I know discussions are preferred here for feature requests, but GitHub did not allow me to create a new Discussion.

I was looking for a quick way to verify CORS for my web application. I wanted to see how my application would respond to various requests made from a different origin, to ensure that my resources were adequately protected.

For my specific use case, I wanted to see if it was possible for a cross-origin request to be made which included a custom header. This custom header provides a defense against CSRF attacks when properly configured (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#employing-custom-request-headers-for-ajaxapi)

[azasypkin]

Thank you for the issue, @legrego! That’s a great idea and definitely fits into the “Web Security” suite!

I know discussions are preferred here for feature requests, but GitHub did not allow me to create a new Discussion.

Ugh, I didn’t realize it needed to be explicitly allowed. It’s fixed now, and I’ll move this to discussions. Thanks for flagging it.

I was looking for a quick way to verify CORS for my web application. I wanted to see how my application would respond to various requests made from a different origin, to ensure that my resources were adequately protected.

Are you essentially looking to see the CORS-related headers your app returns whenever a specific endpoint is “preflighted” (input: remote endpoint, output: CORS response headers)?

Or are you looking for something that allows you to fully specify the details of a cross-origin request (origin, method, headers, etc.) and get a simple yes/no answer, with an explanation when the answer is no (e.g., which CORS directive is violated)?

Or would you prefer something more flexible and advanced, such as an HTML editor that allows you to fully craft your “foreign-origin” page and directly interact with your app’s endpoint (possibly with a set of ready-to-use JS helper utilities)? It’ll probably require the same amount of effort from the user as crafting a local page themselves...

Or do you have something else in mind?