1

Lets imagine that site A embeds a javascript file using a standard script tag pointing to server B. Next Site A makes a JSONP or AJAX request to a resource on server B. Is there anyway for Server B to definitively know that specific JSONP request originated from a user on Site A, and not a user on another site spoofing their HTTP REFERRER.

The only reason I think there is any realm of possibility is because site A started the communication with it's embedding of server B's javascript. In a way, couldn't this original communication act as a security handshake, allowing subsequent calls to pass through securely. But because the handshake was made through insecure means doesn't that prevent it from acting as a security handshake.

Any ideas of how this task can be accomplished? Every solution I can think up is broken by the notion that every element of an AJAX call can be faked.

I read http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html and Detecting Ajax in PHP and making sure request was from my own website but as far as I could tell they focused on ensuring the veracity of the user and not the veracity of the referrer.

Community
  • 1
  • 1
Owen Allen
  • 11,348
  • 9
  • 51
  • 63

2 Answers2

1

Ajax over https you could if you wanted configure your server to require mutual authentication.

Paul Whelan
  • 16,574
  • 12
  • 50
  • 83
0

You could use Hash_chain to verify origin.

On page load generate X times hash from random and send last hash with initial request (script tag) e.g. Hash[100]. every next request send with Hash[Last-1].

On server B check whether hash(resieved_hash) is same as last one.

Lauri
  • 1,298
  • 11
  • 13
  • That would mean the client would be responsible for creating the hash values. Since I do not have control of the client side (only it's JS), wouldn't I have to store the cryptographic function in the client side, thus eliminating all security benefits. Also, how does it help me verify the authenticity of the web page of origin since the handshake occurs through AJAX? – Owen Allen Nov 16 '10 at 16:42
  • misunderstand problem in first place. without control of site A there are no secure way. you can do it harder with minimized code and random names in request.. – Lauri Nov 22 '10 at 09:26