Is this ajax behavior normal, security-wise
It seems I'm completely failing to understand ajax security and it's not helping that I keep getting contradicting answers to my questions. So I did this experiment.
I have this js code on site1.com located at http://site1.com/script.js. On the server side, it makes an entry to the database but doesn't return any output. When I call this function from site1.com, I see that the entry was logged in the database as expected.
function enterdb(){
$.ajax({
async: false,
url: 'http://site1.com/test?format=json',
type: 'POST',
data: { input: '1' },
success: function(resp) {
alert(resp);
}
});
}
I copied the same js into the js file of othersite.com, now located at http://othersite.com/script.js to see for myself if it would log into the database. It did not which is good because I don't want people playing my ajax urls from other external scripts. But this contradicts some of the answers I read 开发者_如何学编程in my previous qusetions
this answers matches the result I got
Cross domain is always banned because of the Same Origin Policy.
but the same answer also said
your JavaScript making a XHR and someone spoofing one, they are the same and impossible to differentiate (though you can definitely make it harder).
So what's the verdict? My goal is to secure the ajax urls so that they're not used by external sites like an API to dump data into my database.
Short answer: You are not safe against issue you mention.
Long answer:
Given:
- A — a site you control
- B — a site someone else controls
- Charlie — a visitor to your site who has credentials
your JavaScript making a XHR and someone spoofing one, they are the same and impossible to differentiate (though you can definitely make it harder).
This means you can't tell the difference between Charlie visiting A and Charlie manually constructing an HTTP request to access the URLs you provide for your JavaScript to access.
So what's the verdict? My goal is to secure the ajax urls so that they're not used by external sites like an API to dump data into my database.
If Charlie visits site B, then site B can't read data from site A via Charlie's browser (with Charlie's credentials).
Site B can cause a request to be made to site A by Charlie's browser though (e.g. by submitting an invisible form to an invisible iframe with JS), so site B could cause data to be inserted. This is Cross Site Request Forgery, but there are ways to defend against this.
@zmol : nice to know you experimented on my request :) (How to check if cross-domain requests are disabled)
cross domain policy says something like this :
your domainA serves a pageA which has capability to do ajax calls.
this "pageA"'s ajax can only request resources from domainA and possibly never from domainB.
in your words,
if site1.com served script.js, the script.js can only communicate and load content through site1.com and not through othersite.com.
on the other hand, if the script.js was served from othersite.com, then it will fail to call anything on site1.com because the server rejects the request because of this policy.
this holds true for everyone, as in you can't call ajax on google and google can't ajax-call your domain officially. [ there are workarounds, but that's not the point now ]
any confusions now remains ? :)
edit - I forgot to answer your question :
My goal is to secure the ajax urls so that they're not used by external sites like an API to dump data into my database.
There is no way you can "secure" ajax urls, as others are already saying, ajax calls are normal requests to the server, but they have the Origin header applied..
the Origin header suggests the server whether to trust the caller or not :)
edit - I see that there are ways to secure, like preventing CSRF... [ I think that is only 1 possibility ] Thanks to @David Dorward for pointing it out. my +1
加载中,请稍侯......
精彩评论