Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cross Domain Form POSTing

Tags:

html

http

security

same-origin-policy

csrf

The same origin policy is applicable only for browser side programming languages. So if you try to post to a different server than the origin server using JavaScript, then the same origin policy comes into play but if you post directly from the form i.e. the action points to a different server like:

<form action="http://someotherserver.com">

and there is no javascript involved in posting the form, then the same origin policy is not applicable.

See wikipedia for more information


It is possible to build an arbitrary GET or POST request and send it to any server accessible to a victims browser. This includes devices on your local network, such as Printers and Routers.

There are many ways of building a CSRF exploit. A simple POST based CSRF attack can be sent using .submit() method. More complex attacks, such as cross-site file upload CSRF attacks will exploit CORS use of the xhr.withCredentals behavior.

CSRF does not violate the Same-Origin Policy For JavaScript because the SOP is concerned with JavaScript reading the server's response to a clients request. CSRF attacks don't care about the response, they care about a side-effect, or state change produced by the request, such as adding an administrative user or executing arbitrary code on the server.

Make sure your requests are protected using one of the methods described in the OWASP CSRF Prevention Cheat Sheet. For more information about CSRF consult the OWASP page on CSRF.


Same origin policy has nothing to do with sending request to another url (different protocol or domain or port).

It is all about restricting access to (reading) response data from another url. So JavaScript code within a page can post to arbitrary domain or submit forms within that page to anywhere (unless the form is in an iframe with different url).

But what makes these POST requests inefficient is that these requests lack antiforgery tokens, so are ignored by the other url. Moreover, if the JavaScript tries to get that security tokens, by sending AJAX request to the victim url, it is prevented to access that data by Same Origin Policy.

A good example: here

And a good documentation from Mozilla: here

Related questions

css overflow - only 1 line of text
How to add google chrome omnibox-search support for your site?
Is div inside list allowed? [duplicate]
How can I center a div within another div? [duplicate]
Necessary to add link tag for favicon.ico?
Making a flex item float right
Using HTML and Local Images Within UIWebView
Table header to stay fixed at the top when user scrolls it out of view with jQuery
Retrieving the text of the selected <option> in <select> element
Change the color of glyphicons to blue in some- but not at all places using Bootstrap 2
Positions fixed doesn't work when using -webkit-transform
What does the shrink-to-fit viewport meta attribute do?
Responsive image map
How do I detect "shift+enter" and generate a new line in Textarea?
How to remove word wrap from textarea?
How do I remove all HTML tags from a string without knowing which tags are in it?
Ruby on Rails: how to render a string as HTML?
How to show disable HTML select option in by default?
How to draw a rounded rectangle using HTML Canvas?
Do you need text/javascript specified in your <script> tags?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!