Prevent request to another domain?

Question

I want to administratively prevent a whole class of XSS attacks by not allowing anything on my page to send XHR/XMLHttpRequest (or other?) requests to other domains than the domain hosting the page. Is that possible?

I thought I could do that with Cross-Origin Resource Sharing (CORS), but it seems I was wrong. If a page hosted on domain-a.com tries to make an XHR request to domain-b.com, CORS can be used on domain-b.com pages to control whether or not that is allowed.

So if something on the page at domain-a.com tries to make an XHR request to hackers-r-us.com that will be allowed, as long as hackers-r-us.com sets the appropriate CORS headers.

But is there anything I can set on the page on domain-a.com to disallow requests to other domains such as hackers-r-us.com regardless of CORS headers on hackers-r-us.com?

Answer 1

To prevent requests to another domain, use CSP — specifically, the connect-src CSP directive.

CSP directives are specified using the Content-Security-Policy HTTP header, and enforced by browsers. The simplest example of a header that specifies a connect-src directive is:

Content-Security-Policy: connect-src 'self';

If you serve a document at https://example.com/foo/ with that, browsers block any frontend code in the document from making requests to URLs at any origin other than its own ('self'); i.e., browsers restrict the allowed requests only to URLs starting with https://example.com.

• https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src has more details and examples.
• https://w3c.github.io/webappsec-csp/#directive-connect-src is the actual spec section where the browser requirements are defined; that section also has some examples.