2

I know by default the HTML page on other domains can't access my images, videos. They can only show them. But sadly, they can still run my scripts. If my script exposes some variables to the global scope, then the internal logic may be known by others.

I have a private website that others can't visit. Only I can visit it by sending a token in the Cookie to the server. If the token isn't included in the Cookie, every request will cause a 500 server error response. This is secure because everything is on HTTPS.

But unfortunately, I find this isn't very safe on my own machine, because after I visit my site and then visit a malicious site, this malicious site can use the following method to run my script:

<script src="https://my-website.com/main.js"></script>

That's because the Cookies of my website on my machine will be sent to my server as 3rd-party Cookies.

How to prevent that? Can access-control-allow-origin do so?

P.S. I don't want to disable all 3rd-party cookies in browser settings. Cookie's SameSite also doesn't make sense because only Chrome support it now.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Zhenzhen Zhan
  • 23
  • 4

1 Answers1

2

There are a number of imaginable ways to prevent other sites from using the script element to run copies of scripts from your site in their sites, but CORS isn’t one of them.

Browsers are where the same-origin policy (SOP) is enforced and browsers are what block JavaScript running in Web apps from being able to use responses from cross-origin requests.

But browsers don’t use SOP/CORS when a Web app uses the script element to embed some JavaScript. Specifically, browsers don’t check that the script is served from the other site with an Access-Control-Allow-Origin header, which is the foundation of the whole CORS protocol.

So CORS is definitely not a solution to the problem you seem to want to solve.

But unfortunately, I find this isn't very safe on my own machine, because after I visit my site and then visit a malicious site, this malicious site can use the following method to run my script:

<script src="https://my-website.com/main.js"></script>

But if that site embeds your script in theirs that way, it runs within their origin, not yours. It runs there as a trusted script with all the same privileges of any script they’ve written themselves.

In that scenario, the other site is the one taking a security risk—because you can at any time change your https://my-website.com/main.js script to do anything you want at their site.

That is, by embedding your script that way, the other site gives your script programmatic fully-trusted access to do anything it wants at their entire origin—gifting you an XSS opportunity.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
  • Whether other sites trust my script is another thing. So, for my question, it seems I can detect the "Referer" header (because it can't be arbitrarily modified in browser) on server side? Another way may be to force the request to include the token in query string? – Zhenzhen Zhan Feb 16 '17 at 15:45
  • 2
    You can’t depend on Referer. Users can choose to have their browsers not send it http://kb.mozillazine.org/Network.http.sendRefererHeader (and to suppress document.referrer too) , and there are lots of other conditions in which it may be empty http://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty/6880668#6880668 And in browsers that support Referer Policy, authors can also cause the Referer header to be empty http://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty/28836003#28836003 – sideshowbarker Feb 16 '17 at 23:11