Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to prevent cross-domain ajax requests?

How can I detect if my php script is being called from another domain and the other domain is making illegal use of my script? Is there a way to prevent this too?

UPDATE

I found this question on SO, but its still not safe, it can be spoofed.

like image 859
Sujit Agarwal Avatar asked Jun 14 '11 17:06

Sujit Agarwal


People also ask

Does AJAX support cross-domain?

For a successful cross-domain communication, we need to use dataType “jsonp” in jquery ajax call. JSONP or “JSON with padding” is a complement to the base JSON data format which provides a method to request data from a server in a different domain, something prohibited by typical web browsers.

What is cross-domain AJAX request?

CORS is a mechanism that defines a procedure in which the browser and the web server interact to determine whether to allow a web page to access a resource from different origin. Figure 2. Cross domain ajax request. When you do a cross-origin request, the browser sends Origin header with the current domain value.

How do I stop multiple AJAX calls from repeated clicks?

click(function(e) { e. preventDefault(); if ( $(this). data('requestRunning') ) { return; } $(this). data('requestRunning', true); $.

Why is cross-domain not allowed in AJAX?

Because of Same origin policy. The same-origin policy exists to prevent malicious use of resources. If there were no rules governing cross-domain script access, it would be trivial to wreak all manner of havoc on unsuspecting users.


2 Answers

There isn't any absolutely foolproof method to prevent this, since any header information can be spoofed. Session-based tokens are another possible solution, but in that case your javascript is publicly accessible, so anyone who wanted to spend a little time could determine how your token system works and figure out a way around it.

A combination of methods will give you the most wide-ranging protection. You can look for the header, use and .htaccess file, and use tokens. This sort of all-of-the-above approach makes it that much harder to abuse a web server - most abuse comes from people trying to find an easy hole to exploit. The important thing to remember is that you can't become complacent because you've deployed "the best" protection, or because you've got so many layers of protection that it seems impossible to crack. If someone really wanted it bad enough and had the time, they'll find a way. These types of preventative measures are really only deterrents to keep away the lazy, curious, and idly malicious. Targeted attacks are a whole separate class of security, and usually are more centered on server-level security issues.

Sample htaccess. This would not be something you'd put in your root, but rather within a subfolder where you have scripts that should never be called from the address bar:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?_YOUR_DOMAIN_NAME_HERE.com [NC]
RewriteRule \.(php)$ - [NC,F,L]

Check out this article for info about using a token system: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

like image 143
Chris Baker Avatar answered Oct 17 '22 13:10

Chris Baker


You can manually deny every request whose Origin header does not match your domain name. However, not all browsers send the Origin header. In these cases, you can fallback to the Referer[sic] header, parse it and find out the domain name, and compare it as above.

Some JavaScript frameworks also set an X-Requested-With header for AJAX requests.

This should reject a significant percentage of users (I'd estimate >95%). Note that due to the Same-Origin Policy, the only thing the guy sending AJAX requests to your domain gets is timing information anyway.

like image 39
phihag Avatar answered Oct 17 '22 15:10

phihag