Geek Answers Handbook

What is the validity of cross-domain security AJAX?

Given the ease of writing a proxy server-side server that retrieves data by domain, I am at a loss as to what was the first intention to prevent client-side AJAX interaction from calling through domains. I am not asking for speculation, I am looking for documentation from language developers (or people close to them) for what they thought they were doing, besides simply creating inconvenience for developers.

TIA

+8
javascript ajax
source share
5 answers

To prevent the browser from using a reverse proxy . Suppose you are browsing http://www.evil.com from a PC in your office and assume that there is an intranet with confidential information in this office at http://intranet.company.com , which is accessible only from the local network. If the cross-domain policy does not exist, www.evil.com can make ajax requests at http://intranet.company.com using your browser as a reverse proxy and send this information to www.evil.com using another Ajax request.

This is one of the reasons for the limitation I assume.

+6
source share

The most important reason for this limitation is the security issue: should a JSON request force the browser to serve and accept cookies or security credentials with a request to another domain? This is not a problem with the server-side proxy, as it does not have direct access to the client environment. A proposal has been proposed for safe sanitary methods for JSON-specific requests , but it has not yet been implemented.

+2
source share

If you are the author of myblog.com and you do XHR on facebook.com, should the request send your facebook credentials cookie? No, that would mean that you could request information about your person from private users.

If you create a proxy service for this, your proxy server will not be able to access the facebook cookies.

You can also ask why JSONP is ok. The reason is that you are downloading a script that you did not write, so if the facebook script does not decide to send you information from your JS code, you will not have access to it

+2
source share

The difference between direct access and the proxy server is cookies and other information related to security and security checks, which are absolutely limited to one source.

With their help, your browser can access sensitive data. Your proxy will not be because it does not know the user login information.

Consequently, the proxy server applies only to public data; like CORS .

+1
source share

I know that you are asking for expert answers, I'm just a neophyte, and this is my opinion why a server proxy is not a proper final solution:

  • Building a proxy server on the server side is not as simple as not creating it at all.
  • Not always possible, as in third-party widgets JS. You do not want all your publishers to declare a DNS register for integrating your widget. And change the document.domain your pages to collage problems.
  • As I read in a third-party Javascript book, "it requires downloading an intermediate tunnel file before it can perform cross-domain requests." At least you put JSONP in a game with more complex juggling.
  • IE8 is also not supported, also from the aforementioned book: "IE8 has a rather strange error that prevents the top-level domain from communicating with its subdomain, even when they both select into a common domain namespace."
  • There are several security issues that people have explained in other answers, even more than them, you can check section 4.3.2 Messaging using subdomain proxies from the above book.

And most importantly for me:

  • This is a hack .. as a JSONP solution, this is the time for a standard, reliable, safe, clean and convenient solution.

But, after re-reading your question, I think I still haven't answered it, so why is this AJAX secure? , again, I think the answer is this:

Since you do not want any web page you visit to be able to make calls from your desktop to any computer or server on an office intranet

+1
source share

More articles:


All Articles