What is an XSS Attack?
If CORS was the right-hand man of the same-origin policy, XSS would be its biggest nemesis.
XSS attacks circumvent same-origin policy by hiding malicious bits of code inside seemingly legitimate content. An example of this could occur if a user entered a script tag in a field that is not being sanitized. Sanitizing user input, disallowing inline scripts and enabling Content-Security-Policy are some of the preventive measures used against such attacks.
CORS, the same-origin policy and XSS have an interesting triangular relationship. If we were in a Tim Burton movie, same-origin policy would be Gothom’s Chief Police, CORS would be Batman and XSS would be the Joker. Same-origin policy is strict with rules, allows for vigalante work from CORS as long as it’s within the bounds of good behavior. Both are enemies of XSS.