Cross domain AJAX requests are not being blocked: is this a security vulnerability?

Question

I spent the last 3 days studying how to make a cross domain request using XMLHttpRequest. The best alternative is indeed with JSONP which I am already using.

But I still have a question that I could not find answer nowhere. I read hundreds of posts (including SOs) and nobody has a good liable answer (with nice reference). Hope someone here can help.

Said that, I read in many websites that due to security reasons I cannot make an Ajax request from domain example.com to yyy.com and get the data I want. It's very clear and I have no question about that. BUT the problem is when I run the code below in my localhost (so my domain is "localhost" and I should not me able to request any data from another domain).

xhReq = new XMLHttpRequest();
xhReq.open("GET","http://domain.com.br?parameter",true);
xhReq.send(null);

When I inspect the Firebug Net Tab I realize that the request was not blocked! It was clearly requested. I could not believe. So I created a file in the domain.com.br/log.php where I could log any request that hit my domain. Surprisingly all the requests I was firing localhost were hitting my domain.com.br. When I tried to fetch the response I really could not get it due the same origin policy of my Chrome and FIrebug browser. But I was reallyl surprised that the request really hit the webserver despite I could no manipulate the responde.

More surprisingly is that if domain.com.br/log.php generates a huge responde with like 1MB my firebug showed me that the browser does download ALL th 1MB from the webserver, and at the end it shows a message "Access denied" as expected. So why download all the file if the same origin policy forbids that data to be read.

Finally, I makes me amazed, is that all the websites and specifications I read says very CLEAR that the request is blocked using Ajax when the target domain does not match the source domain. But clearly, with my experiment, the requests are being completed, despite I cannot have access to the response data.

What makes me upset is that it could be open a BIG security hole, in which a website with thousands of views everyday could run this 3 line code and cause a HUGE Ddos attack in an unfriendly website just making the users request a page in another website in small intervals since the browser will not block the request.

I tested this script in IE 7, 8 and 9 and Chrome latest and Firefox latest and the behaviour is the same: the request is done and the browser downloads all the response while not making it avaiblable to do SOP.

Hope someone can explain me why the specs are so wrong about it or what I am understanding wrong!

Answer 1

The request can be made, and the server may generate a response, regardless of CORS. However, the response may be hidden. balpha wrote about this in his blog recently:

Note that the same origin policy doesn't necessarily prevent the request per se – it just prevents the response from being accessible. A malicious site can e.g. just redirect your browser, or submit a form, or include an image or an iframe – in all those cases a request is made to your site; the evil site just doesn't see the response.

To some extent, the browser has to make a request to the server to see if it servers an "Access-Control-Allow-Origin" header. Remember that CORS is completely implemented by the browser. Someone could just write a console application to make a request to your server, so you shouldn't rely on CORS to make sure requests are only coming from your own site.