12

I spent the last 3 days studying how to make a cross domain request using XMLHttpRequest. The best alternative is indeed with JSONP which I am already using.

But I still have a question that I could not find answer nowhere. I read hundreds of posts (including SOs) and nobody has a good liable answer (with nice reference). Hope someone here can help.

Said that, I read in many websites that due to security reasons I cannot make an Ajax request from domain aaa.com to bbb.com and get the data I want. It's very clear and I have no question about that. BUT the problem is when I run the code below in my localhost (so my domain is "localhost" and I should not me able to request any data from another domain).

xhReq = new XMLHttpRequest();
xhReq.open("GET","http://domain.com?parameter",true);
xhReq.send(null);

When I inspect the Firebug Net Tab I realize that the request was not blocked! It was clearly requested. I could not believe. So I created a file in the domain.com/log.php where I could log any request that hit my domain. Surprisingly all the requests I was firing localhost were hitting my domain.com. When I tried to fetch the response I really could not get it due the same origin policy of my Chrome and FIrebug browser. But I was reallyl surprised that the request really hit the webserver despite I could no manipulate the responde.

More surprisingly is that if domain.com/log.php generates a huge responde with like 1MB my firebug showed me that the browser does download ALL th 1MB from the webserver, and at the end it shows a message "Access denied" as expected. So why download all the file if the same origin policy forbids that data to be read.

Finally, I makes me amazed, is that all the websites and specifications I read says very CLEAR that the request is blocked using Ajax when the target domain does not match the source domain. But clearly, with my experiment, the requests are being completed, despite I cannot have access to the response data.

What makes me upset is that it could be open a BIG security hole, in which a website with thousands of views everyday could run this 3 line code and cause a HUGE Ddos attack in an unfriendly website just making the users request a page in another website in small intervals since the browser will not block the request.

I tested this script in IE 7, 8 and 9 and Chrome latest and Firefox latest and the behaviour is the same: the request is done and the browser downloads all the response while not making it avaiblable to do SOP.

Hope someone can explain me why the specs are so wrong about it or what I am understanding wrong!

Samul
  • 1,824
  • 5
  • 22
  • 47
  • Nice question. Have no idea why the request hit the external domain. I did a test here and as you, the request was completed however I could not fetch the response . Hope someone helps. – amandanovaes Oct 30 '13 at 03:48
  • Can you check whether `domain.com` has [CORS](http://www.w3.org/TR/cors/) enabled.... but if so IE should not work... any way can you confirm – Arun P Johny Oct 30 '13 at 04:10
  • @ArunPJohny no, the CORS is not enabled. It's an example site. You can change the domain.com to any domain and you will see in Firebug or Chrome Net Console that the request is completed with no error. It's clear that this is not a bug cause all the browser I tested behave the same way, but why does the specification says that the request "is blocked" for cross domain ajax request. – Samul Oct 30 '13 at 15:56
  • 1
    I just want you to know that I spent the last hours making several tests and in all cases the request succeeds and hits the server! Really odd this! Thanks for posting this question. – amandanovaes Oct 30 '13 at 17:48

2 Answers2

3

This happens because the same origin policy is applied on the client side (browser) by evaluating the following access control header values returned from the server:

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers

As you can see, the request must first be completed on the server in order for the browser to inspect the returned headers. This is exactly the reason why your request execute on the server.

You can have a look at Priciples of the Same-Origin Policy by A. Barth.

Jacques Snyman
  • 4,115
  • 1
  • 29
  • 49
  • As per the question "browser does download ALL the 1MB". So I wonder does the browser really need to download all that since the response should start with the headers which tell it do not download this. – Panu Logic Apr 24 '19 at 13:20
3

See bobince's answer at a similar question:

As per XMLHttpRequest level 2, browsers allow cross-origin GETs to be sent without preflighting, but don't allow the results to be read from the response unless the remote domain opts in. There is no additional vulnerability here because you can already cause a GET to an arbitrary URL to be sent (including query string, for what it's worth) through multiple more basic interfaces.

For example you have always been able to create an element with its src set to an address on a remote domain; taking away that cross-domain ability would break a lot of the existing web.

Related:

Community
  • 1
  • 1
Daniel B.
  • 1,650
  • 1
  • 19
  • 40
  • > There is no additional vulnerability here ... I wonder. I understand cross-origin-GET needs to work with IMG and IFRAME and SCRIPT -tags. But does it NEED to work from WITHIN scripts meaning XmlHttpRequest? If not it seems like more power to the hackers that it does. I wonder if the better way would be for browsers to use HEAD to get the credentials instead. – Panu Logic Apr 24 '19 at 13:14