All geek questions in one place

Is this ajax behavior normal, safe

It seems I do not completely understand what ajax protection is, and this does not help me constantly contradict the answers to my questions. So I did this experiment.

I have this js code on site.com located at http://site1.com/script.js . On the server side, it writes to the database, but does not return any output. When I call this function from site1.com, I see that the record was registered in the database, as expected.

 function enterdb(){ $.ajax({ async: false, url: 'http://site1.com/test?format=json', type: 'POST', data: { input: '1' }, success: function(resp) { alert(resp); } }); }

I copied the same js to the js file othersite.com , which is now located at http://othersite.com/script.js , to see for myself if it goes into the database. This did not help, because I do not want people to play with my ajax addresses from other external scripts. But this contradicts some of the answers I read in my previous qusetions

this answer matches the result i got

Cross domain is always prohibited because of the same origin policy.

but the same answer also said

your XHR-creating JavaScript and someone fakes it, it's the same and impossible to differentiate (although you can definitely make it harder).

So what is the verdict? My goal is to protect ajax URLs so that they are not used by external sites such as APIs to dump data into my database.

+4
source share
2 answers

Short answer: you are not protected from the problems you mention.

Long answer:

Given:

  • A is the site you control.
  • B is a site that someone controls.
  • Charlie - your site visitor with credentials

your JavaScript creating XHR and someone fakes it, they are the same and impossible to distinguish (although you can definitely make it harder).

This means that you cannot tell the difference between visiting Charlie A and Charlie manually creating an HTTP request to access the URLs that you provided for your JavaScript to access.

So what is the verdict? My goal is to protect ajax URLs so that they are not used by external sites such as APIs to dump data into my database.

If Charlie visits site B, then site B cannot read data from site A through the Charlie browser (with Charlie credentials).

Site B can trigger a request to site A through the Charlie browser (for example, by sending an invisible form to an invisible iframe with JS), so site B can lead to data entry. This is a Cross-Site Request Forgery , but there are ways to protect against this .

+3
source

@zmol: nice to know that you experimented at my request :) ( How to check if cross-domain requests are disabled )

Cross-domain policy says something like this:

your domain A serves page A, which has the ability to make ajax calls.
this "pageA" ajax can only request resources from domainA and possibly never from domainB.

in your words

if site1.com serves script.js, script.js can only upload and download content through site1.com and not through othersite.com.

on the other hand, if script.js was sent from othersite.com, it will not be able to call anything on site1.com because the server rejects the request due to this policy.

this is true for everyone, since you cannot call ajax on google and Google cannot ajax call your domain officially. [There are workarounds, but it is not now]

now some perplexities remain? :)

edit - I forgot to answer your question:

My goal is to protect ajax URLs so that they are not used by external sites such as APIs to dump data into my database.

It’s not possible to β€œprotect” ajax URLs, as others say, ajax calls are normal server requests, but they have an Origin header.

Origin header prompts the server to trust the caller or not :)

edit - I see that there are ways to protect, for example, preventing CSRF ... [I think this is only one possibility] Thanks @David Dorward for this. my +1

+1
source

Source: https://habr.com/ru/post/1338802/

More articles:


All Articles