59

I have some trouble understanding the same-origin policy and the different ways to "workaround" it.

It is clear that the same-origin policy exists as a security measure, so one script that comes from a server/domain has no access to data coming from another server/domain.

It is also clear that sometimes, it is useful to be able to break this rule, so for example a mashup application accesses information from different servers in order to build up the results wanted. And one of the ways to do this is CORS.

1) If I'm not wrong, CORS allows the target server to say to the browser "it is ok for you to take data/code from myself" by adding some headers in the response. But, if this is correct, this means that a malicious server could just add this header and the browser would allow the retrieval of any data or code, potentially harmful, coming from that server.

2) On the other side, we have JSONP, allowing us to retrieve arbitrary code or data from a server without CORS enabled, thus avoiding the main goal of the SOP. So again, a malicious server able to manage JSONP is able to inject data or code even with the SOP hardwired in the browser.

So my questions are:

Is the second argumentation correct? Is it the decision of the server whether the browser must accept the contents? Is the second argumentation correct? It is, again, not in the browser's decision whether to accept or not data?

Does not JSONP render the SOP useless?

Thanks for enlightening me!!

Roberto
  • 888
  • 8
  • 11
  • 2
    Possible duplicate of [Same origin Policy and CORS (Cross-origin resource sharing)](https://stackoverflow.com/questions/14681292/same-origin-policy-and-cors-cross-origin-resource-sharing) – Boghyon Hoffmann Feb 28 '18 at 00:43

1 Answers1

39

The important thing to note here is that if the user is signed in to a site http://example.com/ and the request http://example.com/delete?id=1 deletes a post by the user, then the following code will delete the user's post:

<script src="http://example.com/delete?id=1" />

This is called a CSRF/XSRF attack (cross-site request forgery). This is why most server-side web applications demand a transaction ticket: instead of http://example.com/delete?id=1 you have to do http://example.com/delete?id=1&txid=SomethingTheUserCannotGuess

Now the following attack won't work:

<script src="http://example.com/delete?id=1" />

...because it doesn't contain the txid parameter. Now, let's consider what happens if the site could be accessed using XmlHttpRequest. The script running on the user's browser could behind the user's back retrieve and parse http://example.com/pageThatContainsDeleteLink, extract the txid and then request http://example.com/delete?id=1&txid=SomethingTheUserCannotGuess

Now, if XmlHttpRequest cannot access sites having a different origin, the only way to try to retrieve the txid would be to try to do something like:

<script src="http://example.com/pageThatContainsDeleteLink" />

...but it doesn't help as the result is a HTML page, not a piece of JavaScript code. So, there's a reason why you can include <script>s from other sites but not access other sites via XmlHttpRequest.

You may be interested in reading this: http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/

This attack worked against Gmail back in the day and allowed you to fetch the user's mails from JavaScript code running on another site. This all shows that the security model of WWW is very subtle and not well thought of. It has evolved instead of being well-designed.

As for your question: you seem to think that the server http://example.com/ is the malicious one. That's not the case. Using the notations of my answer, http://example.com/ is the server that is the target of the attack, and http://attacker.com/ is the site of the attacker. If http://example.com/ opens up the possibility to send requests using JSONP or CORS, it is true that it may become vulnerable to the CSRF/XSRF attack I just described. But it does not mean that other sites would become vulnerable to the attack. Similarly, if http://attacker.com/ opens up the possibility to send requests using JSONP or CORS, the attacker's site just became vulnerable to a CSRF/XSRF attack. Thus, a misinformed server administrator may open up a hole in his own site but it doesn't affect the security of other sites.

Edit: a valid comment was made. It explained that the following code:

<script src="http://example.com/delete?id=1" />

...sends a GET request, and that example.com should accept only POST or DELETE requests if the request changes state such as deletes something important.

This is true, a well-designed site shouldn't change state based on any GET request. However, this sends a POST request:

<p>You just won $100! Click below to redeem your prize:</p>
<form action="http://example.com/delete" method="post">
  <input type="hidden" name="id" value="1" />
  <input type="submit" value="Redeem prize" />
</form>

In this case, the code claiming the user won $100 can be embedded into the attacker's site and it sends a POST request not to the attacker's site but rather the victim's site.

juhist
  • 4,210
  • 16
  • 33
  • 7
    That is a very well argumented explanation about why the same-origin policy has to be enforced. However, my question was about whether this policy can be simply overriden with a malicious server having CORS enabled, or with JSONP as mechanism for remote data/code retrieval. – Roberto Mar 23 '15 at 09:27
  • 1
    Oh, I see. I edited the answer to try to answer your real question. So, using my CSRF/XSRF attack there would be no security problems as the http://example.com/ when enabling CORS/JSONP would open up a security hole on THEIR site, not on OTHER sites. – juhist Mar 23 '15 at 09:59
  • I start to see the light at the end of the tunnel... So the only way to be able to run remote evil code would be to inject a page in the example.com domain an enable CORS on the evil server. This would force the browser to ignore the same-origin policy. Thanks! – Roberto Mar 24 '15 at 10:39
  • First of all: If I have `mysite.com` and I'm making a request to `example.com`, why would it matter if the user has previously signed in or not? How should what they do on 1 site affect a totally different site? Also, for `` won't the browser be sending a `GET` request? If a `GET` deletes a resource, that seems like `example.com`'s mistake. – Kenmore Mar 04 '19 at 02:59
  • 1
    For a normal user yes, it is a bit useful but if you can attempt to do CSRF/XSRF attack then you also know how to use cURL which can 100% ignore the same-origin policy. It's so outdated and it only annoys developers. – tiltdown Sep 25 '19 at 08:56
  • 1
    @tiltdown you cannot execute the same attack from this answer with cURL. With cURL you don't have the current user credentials/context so example.com won't accept your delete request. – refaelio Dec 28 '20 at 13:30
  • But couldn't you inject malicious Javascript with a browser extension or some other attack vector into the client application? Then you can send the credentials to your server, and then use those to attack the server e.g. By deleting the user. Because CORS won't protect anything there, as origin is sent by the requestee. – totkeks Jun 29 '22 at 17:01
  • If you can install a malicious browser extension, you can do a lot more harm than just stealing cookies. – juhist Sep 09 '22 at 16:47