Cross-domain AJAX is forbidden in browsers for a reason. Explicitly breaking this restriction comes with its own security problems. But, I'm coming to believe this approach isn't any worse than without it.
1) XSS is bad because it allows a site to post data to another site without your knowledge. Of course, you can do this with a server-side script easily. You can also do this with <script> tags, even without my proxy.
2) This page discusses the question of why cross-domain AJAX is a bad idea. Basically, the only reason they come up with is that AJAX carries login credentials like cookies. My system will prevent that.
3) There is definitely a hole where a request through my proxy hides the originator of the request. Of course, it being JavaScript, it makes it kind of tough to track the originating server, anyway. I log things clearly and I'll respond quickly to warrants, so I don't think there's a ton of concern here.
Okay, but what do you lose using my system in lieu of AJAX?
1) Cookies. No apologies there at all. Read #2 above.
2) POST variables.
3) I put an artificial limit of 100k on the size of the response.
4) Speed! Having to hop through my dinky server slooows things down terribly.
No comments:
Post a Comment