# SOP / CORS

* <https://portswigger.net/web-security/cors/same-origin-policy>
* <https://portswigger.net/web-security/cors>
* <https://github.com/RUB-NDS/CORStest>

## CORS Server

An HTTPS server with CORS header accepting connections from any domain in Flask:

{% code title="cors.py" %}

```python
from flask import Flask, send_file
from flask_cors import CORS

app = Flask(__name__)
CORS(app)

@app.route('/xss.js', methods=['GET'])
def xss():
    return send_file('./xss.js', download_name='xss.js')

# openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
app.run(host='0.0.0.0', port=443, ssl_context=('cert.pem', 'key.pem'))
```

{% endcode %}