1

We have several internal web applications. One of those needs to access all the other applications. Problem is: Same-Orign-Policy.

Actually I did manage to get around it. First of all, the IE is quite sloppy what concerns web security. So, it actually asked me whether I want to have these requests done or not. If I clicked yes, he just executed the cross site requests.

But since most of the users won't use IE, there was the need to make it run in another browser. So, I tried to make it run in Google Chrome. And after some research I found out, that it will work when I turn of the Web Security by using the execution parameter --disable-web-security. This did the job. But unfortunately, most of the users won't be using this execution parameter. Therefore I need another solution.

Then I came across CORS. CORS seems to be implemented in Chrome, but it has one drawback (for me). I need to set headers on the server side. For reasons I won't discuss in here, this is a no go.

So what I was actually wondering about is:

Why will disabling Browser's Web Security do the job, while I need the server to allow the request when using CORS?

  1. What exactly happens inside the browser when I disable the web security?

  2. And is there another way to execute my CSR without adding headers on the server's side or disabling the security?

Thanks in advance

EDIT: JSONP is out of question either

keinabel
  • 1,002
  • 3
  • 15
  • 33

2 Answers2

2

Why will disabling Browser's Web Security do the job, while I need the server to allow the request when using CORS?

The point of the Same Origin Policy is to prevent Mallory's evil site from making Alice's browser go to Bob's site and expose Alice's data to Mallory.

Disabling security in the browser is, effectively, saying "I don't care about protecting my data on Bob's (or any other!) site". This is a dangerous thing to do if the browser is ever going to go near the open web. The option is provided to make development more convenient — I prefer a more controlled solution (such as the URL rewriting options in Charles proxy).

CORS is Bob's site saying "This URL doesn't contain any data that Mallory (or some other specific site, or everyone) shouldn't have access to, so they can access it. Bob's site can do this because it knows which parts of it contain public data and which parts contain private data.

What exactly happens inside the browser when I disable the web security?

It disables the aforementioned security feature and reduces the protection of the user's data.

And is there another way to execute my CSR without adding headers on the server's side or disabling the security?

A proxy. See Ways to circumvent the same-origin policy, specifically the Reverse Proxy method.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • So does that mean, that setting the header on the server's side is totally pointless, when the client side won't check it at all? I always thought the server would check whether the request is okay or not.. – keinabel Feb 28 '13 at 15:45
  • 1
    There is no way a server could possibly know if a request was triggered by JavaScript running on another site or not. The client side **will** check it, and will block access to the data by default. The CORS header tells the client not to worry and expose the data requested to JS. – Quentin Feb 28 '13 at 15:57
  • Is there a way to somehow manipulate the response header before the client checks it? Heard of a firefox plugin doing that job. – keinabel Feb 28 '13 at 19:04
1

I guess you are using AJAX requests, here is another question Ways to circumvent the same-origin policy that has a big detailed answer.

You can use a Flash object (flash doesn't have this problem)

Also about "whats the worst could happen" http://blogs.msdn.com/b/ieinternals/archive/2009/08/28/explaining-same-origin-policy-part-1-deny-read.aspx and http://en.wikipedia.org/wiki/Cross-site_scripting

Community
  • 1
  • 1
BG Adrian
  • 485
  • 1
  • 4
  • 12