52

I was trying to hit a web service on a different domain using jQuery's ajax method. After doing some research it looks like it does not allow this is by design to prevent cross site scripting.

I came across a work around which was to include this line:

$.support.cors = true;

at the top of my javascript code. From what I understand this enables cross site scripting in jQuery.

Does having this line of code make my site more vulnerable to attack? I've always heard XSS discussed as a security issue, are there legitimate uses for XSS?

Abe Miessler
  • 82,532
  • 99
  • 305
  • 486
  • 8
    Background: http://api.jquery.com/jQuery.support/ I don't think that setting *enables* anything though. It just tells jQuery what is supported – Pekka Oct 21 '11 at 16:15
  • 3
    @Pekka - The very document you link says exactly the opposite. – Álvaro González Oct 21 '11 at 16:19
  • 3
    @Alvaro you don't *enable* CORS by setting that variable. You just tell jQuery that you're in an environment where Cross-Domain XHR requests are possible. (So, granted, you enable their use in jQuery, fair enough.) – Pekka Oct 21 '11 at 16:21

3 Answers3

35

XSS is not a feature that can be enabled in jQuery. It would be very very unusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS.

"Cross-Origin Resource Sharing" or CORS isn't the same as XSS, BUT, but if a web application had an XSS vulnerability, then an attacker would have CORS-like access to all resources on that domain. In short, CORS gives you control over how you break the same origin policy such that you don't need to introduce a full on XSS vulnerability.

The $.support.cors query feature relies upon the Access-Control-Allow-Origin HTTP response header. This could be a vulnerability. For example, if a web application had Access-Control-Allow-Origin: * on every page, then an attacker would have the same level of access as an XSS vulenrablity. Be careful what pages you introduce CORS headers, and try and avoid * as much as possible.

So to answer your question: NO a web application never needs to introduce an XSS vulnerability because there are way around the SOP such as CORS/jsonp/cross domain proxies/access-control-origin.

rook
  • 66,304
  • 38
  • 162
  • 239
  • If you have a simple GET that you want to enable only and you have subdomains across a website, then how do you have the default :visited style behavior work in a link. You don't given your philosophy. – King Friday Nov 15 '12 at 23:32
  • 3
    @kitgui.com i have no idea what you are asking or what it has to do with security. – rook Nov 16 '12 at 01:51
  • in phonegap for android, access control origin is normally set to "*", but on a mobile that's expected. you mean that this is a issue? – netalex Feb 23 '14 at 16:27
  • CORS is always server-side. Android has its own ways of violating the SOP for it's browser apps. This is really a different question, but the rational here is that by installing the app, the user has granted permission to a browser app to run independently from the SOP, which would be true for an app written in Java. – rook Mar 10 '15 at 16:43
11

It can help only if you have CORS enabled in your browser but it isn't supported by jQuery yet:

To enable cross-domain requests in environments that do not support cors yet but do allow cross-domain XHR requests (windows gadget, etc), set $.support.cors = true;. CORS WD

Just setting this property to true can't cause security vulnerability.

bjornd
  • 22,397
  • 4
  • 57
  • 73
3

When a hacker is able to inject script code to change the requests to another domain, he is also able to set this javascript flag in the script.

So wether this flag is set doesn't change much at this point of the intrusion.

Tim
  • 483
  • 4
  • 9
  • 2
    This really doesn't answer the question. At the point of intrusion, all bets are off; but the idea is to prevent that from happening. – jpaugh Dec 02 '15 at 15:29