Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to set a real cross domain policy with spring and jquery

I'm kind of a rookie on web development and after a lot of struggling through the web, I've come to a solution. I'm sharing it because I feel like it's not really well documented and could be used by someone else and because I need some feedback.

I wanted to give specific domains access to an API.

First of all, I tried to set headers of the request but it did not work at all for two reasons.

The first reason is that I was not allowing it in crossdomain.xml:

    <cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
          <allow-http-request-headers-from domain="domain1WithoutSlashAtTheEnd" headers="*"/>
          <allow-http-request-headers-from domain="domain2WithoutSlashAtTheEnd" headers="*"/>
    </cross-domain-policy>

The second reason is that I tried to set the "access-control-allow-origin" header while it's useless. Any custom header like this is just ignored. Actually, the server did not need anything of that kind and his default behaviour allowed me to get the origin (domain) of the call which I was able to process it in a filter as follows:

    String origin = hsRequest.getHeader("Origin");
    if (allowedDomainList.contains(origin)) {
      hsResponse.setHeader("Access-Control-Allow-Origin", origin);
    } else {
      throw new SomeException("domain not allowed");
    }

where "allowedDomainList" is a list of String in which I give all the domains I allow to access my API. It seems to work fine. What do you think about it? Would you be more specific about:

    headers="*"

Maybe say only "Access-Control-Allow-Origin". Then I've seen that there is a "secure" attribute and I don't know what to do with it.

I also have a problem with that code i already have:

    <!DOCTYPE cross-domain-policy 
    SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
      <cross-domain-policy>
        <allow-access-from domain="*" />
      </cross-domain-policy>

And I wonder how it could interfer with the behaviour of my policy. It seems that it has no impact but the crossdomain.xml is very unclear to me.

Last point is about jQuery (http://api.jquery.com/jQuery.ajax/). Why does jQuery have a thing to set the headers if we cannot get them on server side? Plus, it has two ways of "giving" headers: the use of "beforeSend" and "headers". These 2 points don't make sense to me and as you can see above, it made me lose a lot of time for nothing in the end!

Thanks in advance for your replies!

like image 687
user1835565 Avatar asked Nov 12 '22 17:11

user1835565


1 Answers

Instead of thinking about how to allow specific domains access your api, maybe these other domains should access your api differently.

If the other domains make a webrequest from there web server instead of their client you won't have to worry about cross domain scripting at all.

The other domain's client can post to it's own web server, make the web request to your server and pass the result back to their client.

Also, there are many ways to secure your api without maintaining a list of domains that have access if you were worried about security.

like image 186
Dan But Avatar answered Nov 15 '22 06:11

Dan But