Cross-domain AJAX is forbidden in browsers for a reason. Explicitly breaking this restriction comes with its own security problems. But, I'm coming to believe this approach isn't any worse than without it.
1) XSS is bad because it allows a site to post data to another site without your knowledge. Of course, you can do this with a server-side script easily. You can also do this with <script> tags, even without my proxy.
2) This page discusses the question of why cross-domain AJAX is a bad idea. Basically, the only reason they come up with is that AJAX carries login credentials like cookies. My system will prevent that.
3) There is definitely a hole where a request through my proxy hides the originator of the request. Of course, it being JavaScript, it makes it kind of tough to track the originating server, anyway. I log things clearly and I'll respond quickly to warrants, so I don't think there's a ton of concern here.
Okay, but what do you lose using my system in lieu of AJAX?
1) Cookies. No apologies there at all. Read #2 above.
2) POST variables.
3) I put an artificial limit of 100k on the size of the response.
4) Speed! Having to hop through my dinky server slooows things down terribly.
Monday, December 13, 2010
Sunday, December 12, 2010
The XSS Concept
I do a lot of web development, including a bunch of mashups. One problem we have with mashups is that it's difficult to consume data from multiple domains concurrently without a heavy back-end. Google has a great way around this. They abuse the <script> tag, which supports loading across-site. The problem with this is that the consumed script has to be written to support this kind of thing. For example, this won't work.
<script source="http://www.google.com" /></script>
The page this script references is an HTML page. But, <script> tags only grok javascript, not HTML.
Other sites will return XML. This also won't work, because XML isn't javascript. You can use AJAX to request the XML, but only if it's coming from the same domain as the webpage.
Dave's XSS Support is a simple app I wrote which will read from a URL, encode it as JSON, and call a function with the output. Your JavaScript page can include any page via my script. Check out the example app, which parses all the NYTimes headlines from its home page, here
<script source="http://www.google.com" /></script>
The page this script references is an HTML page. But, <script> tags only grok javascript, not HTML.
Other sites will return XML. This also won't work, because XML isn't javascript. You can use AJAX to request the XML, but only if it's coming from the same domain as the webpage.
Dave's XSS Support is a simple app I wrote which will read from a URL, encode it as JSON, and call a function with the output. Your JavaScript page can include any page via my script. Check out the example app, which parses all the NYTimes headlines from its home page, here
Subscribe to:
Posts (Atom)