DEVHIDE
Login Or Sign up

Clarification on "Cross Domain Ajax" Security Issues

1.1k Views Asked by At

Assuming we allowed cross-domain Ajax requests.

The code would look something like this:

  $.post('http://google.com/get/emails/all', function(emails){
          // I can see your emails
          readAllEmails(emails);
    });

What are the security risks with this call, won't mail.google.com just deny the request and that would be the end of it?

Edit To clarify the question above.

In the scenario above which cookies get sent to mail.google.com. is it all the cookies that your browser is currently storing or is just the domain cookies? If its all the cookies then I understand why cross domain ajax calls are an issue. However if that was the case I don't understand why the browser would send all the cookies, what is the advantage?

javascript ajax javascript-security
Original Q&A
2

There are 2 best solutions below

1
On

Cross-domain AJAX calls are denied by default due to the Same-Origin Policy in browsers. This means that a web page loaded from yourdomain.com, executing JavaScript, cannot make AJAX calls to mail.google.com or other domains outside yourdomain.com.

Modern browsers allow limited AJAX calls to other domains via Cross Origin Resource Sharing (CORS). This allows another site like www.publicapi.com to authorize Cross Domain requests over AJAX by specifying Access-Control- headers for allowed domains and methods. These CORS requests operate in a limited access context and will not get/set cookies for www.pulicapi.com or HTTP authorization.

Some browsers allow enabling cookies/authorization through the Access-Control-Allow-Credentials header, but this is dangerous for most applications.

In particular, if HTML on yourdomain.com tries to access mail.google.com via AJAX, it will fail. If mail.google.com enabled CORS access for some APIs, you could read public data but not be authenticated by cookies or HTTP auth. If mail.google.com set Access-Control-Allow-Credentials headers, your browser supported it, and you had a pre-existing session on mail.google.com, you could make AJAX requests as your logged in user.

This this is a major security risk for Google Mail and would not ever be enabled. However, for public APIs or essentially public data CORS can enable AJAX usage cross domain.

0
On

is it all the cookies that your browser is currently storing or is just the domain cookies?

Just the domain. Sending all domains cookies would be a disaster.

Anyway I think here's the same topic:

Why the cross-domain Ajax is a security concern?

Related Questions in JAVASCRIPT

Related Questions in AJAX

Related Questions in JAVASCRIPT-SECURITY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.