Access-control-allow-origin cross-domain Request security vulnerability

The latest in the standard is to implement HTTP cross-domain requests, cross-origin Resource sharing, is the cross-domain target server to return a series of headers, through these headers to control whether the cross-domain consent.

These headers are:

• 4 syntax
  • 4.1  Access-control-allow-origin  http Response Header
  • 4.2  Access-control-max-age  http Response Header
  • 4.3  Access-control-allow-credentials  http Response Header
  • 4.4  access-control-allow-methods  http Response Header
  • 4.5  access-control-allow-headers  http Response Header
  • 4.6  Origin  http Request Header
  • 4.7  Access-control-request-method  http Request Header
  • 4.8  Access-control-request-headers  http Request Header

There are some in the request package and in the Response package.

One of the most sensitive is the access-control-allow-origin Header, which is used to check whether the cross-domain request can be passed. (Access Control Check)

The process of implementing a cross-domain is roughly as follows:

A cross-domain request is initiated from http:// www.a.com/test.html , with the requested address, HTTP/. www.b.com/test.php, if Server B Returns a header like the following

access-control-allow-origin:http://www.a.com, the cross-domain request from http://www.a.com/test.html will be passed.

In this process, the request will also bring this header:origin:http://www.a.com

But what's more deadly here is that the Access-control-allow-origin value can be a wildcard character *

If it is *, you can receive a request from any source origin.

I can already imagine the horrible consequences of this feature being abused by programmers and used to make a backdoor!

On the Firefox 3.1 Beta 2 grab the package as follows:

GET http://www.b.com/test.php http/1.1
Host:www.b.com
user-agent:mozilla/5.0 (Windows; U Windows NT 5.1; ZH-CN; RV:1.9.1B2) gecko/20081201 firefox/3.1b2 paros/3.2.13
accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language:zh-cn,zh;q=0.5
accept-charset:gb2312,utf-8;q=0.7,*;q=0.7
keep-alive:300
Proxy-connection:keep-alive
Referer:http://www.a.com/test.html
Origin:http://www.a.com
Cache-control:max-age=0

http/1.1 OK
Date:thu, 06:28:54 GMT
server:apache/2.0.63 (WIN32) php/5.2.6
x-powered-by:php/5.2.6
Access-control-allow-origin: *
Content-length:28
Content-type:text/html

Cross Domain Request test!

The two pieces of code are roughly the following:
Www.a.com/test.html:

-Shrinkage HTMLCode Run code[If the run is ineffective, save the source code as an HTML file]<script>
var client = new XMLHttpRequest ();
Client.open ("GET", "http://www.b.com/test.php");
Client.onreadystatechange = function () {}
Client.send (null);
</script>

www.b.com/test.php: Cross Domain Request test!

In addition to this header, but also through a number of other headers to control such as Method, time, etc., you can refer to the standard, do not repeat this.

Cross-domain requests cannot access Document.cookie objects for security reasons

For IE8 Beta 2, this cross-domain request is implemented through Xdomainrequest , such as code similar to the following:

-Shrinkage JavaScriptCodevar request = new Xdomainrequest ();
Request.open ("GET", Xdomainurl);
Request.send ();

Also requires the other server to return this header.

IE developers released a small video today: http://ieblog.members.winisp.net/images/XdomainRequest-small.wmv

Currently, the requirement to support this cross-domain implementation

Firefox 3.1 Beta2

IE 8 Beta2

Wait until there is a time for popularization.

Finally, add a Firefox3.1 to implement the cross-domain documentation:
Https://developer.mozilla.org/En/HTTP_access_control