4

We can simply call GET request for any page on the web using html tags from another origin:

<script src="http://example.com/user/post?txt=sample"></script>

XHR other origin is blocked because of security reason, as an instance, attacker can post behalf of a user using GET request(Consider the fact that it is not possible because of lack of cookies). However, the above script tag will do the same(Same, cookies are not available). So why XHR GET request is not allowed?

1 Answers1

2

GET requests are not supposed to change anything on the server. From RFC 2616 section 9.1.1:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe".

In your example of posting to a site using a GET request, the site shouldn't even allow that, and the same-origin policy isn't really meant to prevent it.

The reason XHR is treated differently is that XHR returns the HTTP response to the JavaScript code that made the request, so it has the potential to leak information. For example, if cross-domain XHR GET requests were allowed, a malicious script could query your bank's website to find out how much money is in your account.

Other methods of performing GET requests don't leak information. In particular:

  • You can add a <script> tag to the document, but the browser will try to run the response as a script. Unless the response is a valid script that's specifically designed to provide data using the JSONP convention, your code can't "see" anything that was in the response.
  • You can add an <img> tag to the document and maybe load some of the user's personal photos from another site, but the image will only appear on the screen; you can't access the pixel data from JavaScript.
Wyzard
  • 33,849
  • 3
  • 67
  • 87
  • 1
    @Kousha: For sensitive information provided by AJAX, only enabling the POST method might be wise in order to prevent [JSON Hijacking](http://haacked.com/archive/2009/06/25/json-hijacking.aspx/). This bug is only possible in old browsers (e.g. Firefox 3) - you never know if anything similar will come round again. It might not but it comes with so little cost to have POST only that it is probably worth it as an extra line of defence. – SilverlightFox May 19 '14 at 09:41
  • @Wyzard, Regarding your last paragraph, Couldn't you read the size of the ` – Pacerier Mar 29 '15 at 01:30
  • @Pacerier, it's unclear what you mean by the "size" of the tags. If you look at a ` – Wyzard Mar 29 '15 at 02:37
  • @Wyzard, Wait, [`script_element.innerHTML`](http://stackoverflow.com/questions/4129067/how-to-get-a-script-tags-innerhtml#comment-4451746) would work right? Also [`img_element.fileSize`](http://stackoverflow.com/questions/1310378/determining-image-file-size-dimensions-via-javascript) – Pacerier Mar 29 '15 at 05:01
  • The `innerHTML` of a script element is just what's in the DOM: the text between the `` tags. The code referenced by the `src` attribute is not placed into the DOM and can't be seen via `innerHTML`. – Wyzard Mar 29 '15 at 09:40