Cross-origin AJAX implementation and hidden risks in the new W3C Standard

From:Surging clouds

Standards are also helpless, and they are difficult to achieveSecure By Default.

In the latest W3C standard, HTTP cross-origin requests are implemented in this way,

Cross-Origin Resource SharingTo put it simply, the cross-origin target server must return a series of Headers to control whether to agree to cross-origin.

These Headers include:

• 4Syntax
  • 4.1Access-Control-Allow-OriginHTTP Response Header
  • 4.2Access-Control-Max-AgeHTTP Response Header
  • 4.3Access-Control-Allow-CredentialsHTTP Response Header
  • 4.4Access-Control-Allow-MethodsHTTP Response Header
  • 4.5Access-Control-Allow-HeadersHTTP Response Header
  • 4.6OriginHTTP Request Header
  • 4.7Access-Control-Request-MethodHTTP Request Header
  • 4.8Access-Control-Request-HeadersHTTP Request Header

There are some in the Request package and Response package.

The most sensitive one is Access-Control-Allow-OriginThis Header is used in W3C standards to check whether the cross-origin request can be passed. (Access Control Check)

The cross-origin implementation process is roughly as follows:

Slave Http://www.a.com/test.htmlInitiate a cross-origin request,

The request address is: Http://www. B .com/test.php

If Server BReturns the following header:

Access-Control-Allow-Origin: http://www.a.com

Then, this cross-origin request from the http://www.a.com/test.html will be passed.

In this process, the request also carries the header:

Origin: http://www.a.com

However, what is terrible here is that the value of Access-Control-Allow-Origin can be a wildcard *

If it is *, you can receive requests from any source origin.

I can already imagine the terrible consequences of this feature being abused by programmers and used to create backdoors!


In Firefox 3.1 Beta 2The packet capture is as follows:

GET http://www. B .com/test.php HTTP/1.1
Host: www. B .com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv: 1.9.1b2) Gecko/20081201 Firefox/3.1b2 Paros/3.2.13
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: zh-cn, zh; q = 0.5
Accept-Charset: gb2312, UTF-8; q = 0.7, *; q = 0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.a.com/test.html
Origin: http://www.a.com
Cache-Control: max-age = 0


HTTP/1.1 200 OK
Date: Thu, 15 Jan 2009 06:28:54 GMT
Server: Apache/2.0.63 (Win32) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Access-Control-Allow-Origin :*
Content-Length: 28
Content-Type: text/html

Cross Domain Request Test!


The two sections of code are roughly as follows:
Www.a.com/test.html:
<Script>
Var client = new XMLHttpRequest ();
Client. open ("GET", "http://www. B .com/test.php ");
Client. onreadystatechange = function (){}
Client. send (null );
</Script>

Www. B .com/test.php:
<? Php

Header ("Access-Control-Allow-Origin :*");

?>

Cross Domain Request Test!


In addition to this Header, you can also use other headers to control such as Method and time. You can refer to the standard and do not go into details here.

For security reasons, cross-origin requests cannot access the document. cookie object.

For IE8 Beta 2, Is through XDomainRequestTo implement this cross-origin request

For example, the following code can be implemented:

Var request = new XDomainRequest ();
Request. open ("GET", xdomainurl );
Request. send ();

The other server is also required to return this header.


The IE developer published a small video today:
Http://ieblog.members.winisp.net/images/XdomainRequest-small.wmv


Currently, this cross-origin implementation requirement is supported.

Firefox 3.1 Beta2

IE 8 Beta2

It will take some time to become popular.


Finally, add a Firefox3.1 cross-domain implementation instruction document:
Https://developer.mozilla.org/En/HTTP_access_control