Menu
I was trying to hit a web service on a different domain using jQuery's ajax method. After doing some research it looks like it does not allow this is by design to prevent cross site scripting.
I came across a work around which was to include this line:
$.support.cors = true;
at the top of my javascript code. From what I understand this enables cross site scripting in jQuery.
Does having this line of code make my site more vulnerable to attack? I've always heard XSS discussed as a security issue, are there legitimate uses for XSS?
846
The client expects to see CORS headers sent back in order to allow the request. It might even send a preflight request to make sure that the headers are there. You can enable CORS server side for one, multiple, or all domains hitting your server. The configuration is different depending on the type of your server.
The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Modern browsers use CORS in APIs such as XMLHttpRequest or Fetch to mitigate the risks of cross-origin HTTP requests.
When building complex client-side applications, at some point it usually becomes necessary to make Ajax requests to domains other than the one from which your page originated. This is especially true if you are part of a large enterprise with distributed sub-domained resources.
XSS is not a feature that can be enabled in jQuery. It would be very very unusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS.
"Cross-Origin Resource Sharing" or CORS isn't the same as XSS, BUT, but if a web application had an XSS vulnerability, then an attacker would have CORS-like access to all resources on that domain. In short, CORS gives you control over how you break the same origin policy such that you don't need to introduce a full on XSS vulnerability.
The $.support.cors query feature relies upon the Access-Control-Allow-Origin HTTP response header. This could be a vulnerability. For example, if a web application had Access-Control-Allow-Origin: * on every page, then an attacker would have the same level of access as an XSS vulenrablity. Be careful what pages you introduce CORS headers, and try and avoid * as much as possible.
So to answer your question: NO a web application never needs to introduce an XSS vulnerability because there are way around the SOP such as CORS/jsonp/cross domain proxies/access-control-origin.
198
It can help only if you have CORS enabled in your browser but it isn't supported by jQuery yet:
To enable cross-domain requests in environments that do not support cors yet but do allow cross-domain XHR requests (windows gadget, etc), set $.support.cors = true;. CORS WD
Just setting this property to true can't cause security vulnerability.
21
When a hacker is able to inject script code to change the requests to another domain, he is also able to set this javascript flag in the script.
So wether this flag is set doesn't change much at this point of the intrusion.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
