-1

Assuming we allowed cross-domain Ajax requests.

The code would look something like this:

  $.post('http://google.com/get/emails/all', function(emails){
          // I can see your emails
          readAllEmails(emails);
    });

What are the security risks with this call, won't mail.google.com just deny the request and that would be the end of it?

Edit To clarify the question above.

In the scenario above which cookies get sent to mail.google.com. is it all the cookies that your browser is currently storing or is just the domain cookies? If its all the cookies then I understand why cross domain ajax calls are an issue. However if that was the case I don't understand why the browser would send all the cookies, what is the advantage?

Mr. Smee
  • 968
  • 11
  • 28
  • 1
    Where did you get this from? That's not what cross-domain AJAX does. – Christophe Feb 16 '14 at 01:14
  • 2
    Your understanding is seriously flawed. Pages from John Doe's Bad Site *cannot* make AJAX calls to `mail.google.com`. Doing so would be a *violation* of the Same Origin Policy, so it's disallowed. Cross-domain AJAX is only allowed by sites that house facilities that do not compromise someone's privacy or belongings. Google Mail is not such a site, but (with some restrictions) Google Maps might be an example of one that is. – Pointy Feb 16 '14 at 02:02
  • @Pointy I've updated my question. The first part of my question was meant for a different question I was going to ask. – Mr. Smee Feb 16 '14 at 03:45
  • "won't mail.google.com just deny the request" So, assuming this worked, why would you think that mail.google.com could just deny the request? I would argue that, if this actually worked, they wouldn't possibly be able to tell the difference between user-initiated and malicious-script-initiated requests, which is basically the whole problem in the first place. – user229044 Feb 16 '14 at 04:46
  • @meagar I think that mail.google.com just deny the request because the user does not have a session cookie from google because the request came from a different domain. If thats incorrect, why? – Mr. Smee Feb 16 '14 at 06:26
  • 1
    @Mr. Smee: it's incorrect because user would have cookies, since you're performing a request to `google.com` which you have cookies for. Cookies are sent according to the domain where you're sending to, not where you're sending from. – zerkms Feb 18 '14 at 03:29
  • @zerkms well that clarifies things. Do you have a good resource that explains that clearly? – Mr. Smee Feb 18 '14 at 03:32
  • @zerkms and one more thing why would the browser send cookies that belong to the website we are requesting. Wouldn't it be safer to only send along cookies that belong to the website where the request is coming from? – Mr. Smee Feb 18 '14 at 05:25

2 Answers2

3

Cross-domain AJAX calls are denied by default due to the Same-Origin Policy in browsers. This means that a web page loaded from yourdomain.com, executing JavaScript, cannot make AJAX calls to mail.google.com or other domains outside yourdomain.com.

Modern browsers allow limited AJAX calls to other domains via Cross Origin Resource Sharing (CORS). This allows another site like www.publicapi.com to authorize Cross Domain requests over AJAX by specifying Access-Control- headers for allowed domains and methods. These CORS requests operate in a limited access context and will not get/set cookies for www.pulicapi.com or HTTP authorization.

Some browsers allow enabling cookies/authorization through the Access-Control-Allow-Credentials header, but this is dangerous for most applications.

In particular, if HTML on yourdomain.com tries to access mail.google.com via AJAX, it will fail. If mail.google.com enabled CORS access for some APIs, you could read public data but not be authenticated by cookies or HTTP auth. If mail.google.com set Access-Control-Allow-Credentials headers, your browser supported it, and you had a pre-existing session on mail.google.com, you could make AJAX requests as your logged in user.

This this is a major security risk for Google Mail and would not ever be enabled. However, for public APIs or essentially public data CORS can enable AJAX usage cross domain.

Winfield
  • 18,985
  • 3
  • 52
  • 65
  • My question is more what are the security risks but @zerkms answered that by saying that the cookies sent are the cookies that belong to the website that is being requested of as opposed to the website requesting. This mostly answered my question I'm still not clear on why browsers would send the requesting cookies as opposed to the requesters cookies. I would also love to see a write up on cookies in general. – Mr. Smee Feb 18 '14 at 20:39
1

is it all the cookies that your browser is currently storing or is just the domain cookies?

Just the domain. Sending all domains cookies would be a disaster.

Anyway I think here's the same topic:

Why the cross-domain Ajax is a security concern?

Community
  • 1
  • 1
not-found.404
  • 70
  • 3