In my project , I need to allow others send ajax requests to my script . So external requests may come from other websites and domains and maybe from browser extensions. I've added simply these two lines at top of my script to let them do it: <pre class="prettyprint"><code>header('Access-Control-Allow-Origin: *'); header('Access-Control-Allow-Methods: GET, POST'); </code></pre> Now my question is this : Is here any security consideration I've missed? does this simple solution make serious problems? If so , what is the better solution? Thanks for response.

As mentioned above, anyone can send a request to you page at any time: so the major security concerns you need are to validate user input and only reveal information that is available for public consumption. But that applies to all scripts. The two main issues you need to concentrate on (after validating user input) are: <ol> <li>The problem you may have is users receiving the information into their scripts. Depending on the browser (and even between flavours of the same browser) there are different security rules that prevent them from getting the information back. A common solution to this is to provide information back as "JSONP" which is to wrap your return value as a function call that can be executed by the client. Here's a quick example (taken from http://www.geekality.net/2010/06/27/php-how-to-easily-provide-json-and-jsonp/). To further lock it down, you can insist that all queries are JSONP and reject anyone not sending the callback function.</li> </ol> . <pre class="prettyprint"><code><?php header('content-type: application/json; charset=utf-8'); $data = array(1, 2, 3, 4, 5, 6, 7, 8, 9); echo $_GET['callback'] . '('.json_encode($data).')'; ?> </code></pre> <ol start="2"> <li>Someone abusing your service by calling too regularly. Solutions for this are to trap the IP address and reject if you get too many calls from an IP address. Not foolproof, but it's a start. </li> </ol> Other factors to bear in mind: <ul> <li>cookies and other headers set by your script will probably be ignored</li> <li>same applies to sessions</li> </ul>

allow cross domain ajax requests

In my project , I need to allow others send ajax requests to my script . So external requests may come from other websites and domains and maybe from browser extensions.
I've added simply these two lines at top of my script to let them do it:

header('Access-Control-Allow-Origin: *'); header('Access-Control-Allow-Methods: GET, POST');

Now my question is this : Is here any security consideration I've missed? does this simple solution make serious problems?
If so , what is the better solution?

Thanks for response.

How do I make a cross domain request in AJAX?

For a successful cross-domain communication, we need to use dataType “jsonp” in jquery ajax call. JSONP or “JSON with padding” is a complement to the base JSON data format which provides a method to request data from a server in a different domain, something prohibited by typical web browsers.

What is cross domain AJAX request?

CORS is a mechanism that defines a procedure in which the browser and the web server interact to determine whether to allow a web page to access a resource from different origin. Figure 2. Cross domain ajax request. When you do a cross-origin request, the browser sends Origin header with the current domain value.

Can you send AJAX request to another domain?

Browser does not allow cross domain AJAX requests due to security issues. Cross-domain requests are allowed only if the server specifies same origin security policy. To enable CORS, You need to specify below HTTP headers in the server. Access-Control-Allow-Origin – Name of the domain allowed for cross domain requests.

What would you enable to allow a browser on another site to make an AJAX request to API?

CORS Proxy Servers can specify that they want browsers to allow other websites to request resources they host. CORS Proxy is simply an HTTP Proxy that adds a header to responses saying "anyone can request this".

As mentioned above, anyone can send a request to you page at any time: so the major security concerns you need are to validate user input and only reveal information that is available for public consumption. But that applies to all scripts.

The two main issues you need to concentrate on (after validating user input) are:

The problem you may have is users receiving the information into their scripts. Depending on the browser (and even between flavours of the same browser) there are different security rules that prevent them from getting the information back. A common solution to this is to provide information back as "JSONP" which is to wrap your return value as a function call that can be executed by the client. Here's a quick example (taken from http://www.geekality.net/2010/06/27/php-how-to-easily-provide-json-and-jsonp/). To further lock it down, you can insist that all queries are JSONP and reject anyone not sending the callback function.

.

<?php  header('content-type: application/json; charset=utf-8'); $data = array(1, 2, 3, 4, 5, 6, 7, 8, 9); echo $_GET['callback'] . '('.json_encode($data).')';  ?>

Someone abusing your service by calling too regularly. Solutions for this are to trap the IP address and reject if you get too many calls from an IP address. Not foolproof, but it's a start.

Other factors to bear in mind:

cookies and other headers set by your script will probably be ignored
same applies to sessions

allow cross domain ajax requests

Tags:

ajax

php

cross-domain

Aliweb

People also ask

1 Answers

Robbie

Recent Activity

Donate For Us

allow cross domain ajax requests

Tags:

ajax

php

cross-domain

Aliweb

People also ask

1 Answers

Robbie

Related questions

Recent Activity

Donate For Us