Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the rationale behind AJAX cross-domain security?

Given the simplicity of writing a server side proxy that fetches data across domains, I'm at a loss as to what the initial intention was in preventing client side AJAX from making calls across domains. I'm not asking for speculation, I'm looking for documentation from the language designers (or people close to them) for what they thought they were doing, other than simply creating a mild inconvenience for developers.

TIA

like image 548
Yevgeny Simkin Avatar asked May 30 '12 17:05

Yevgeny Simkin


2 Answers

It's to prevent that a browser acts as a reverse proxy. Suppose you are browsing http://www.evil.com from a PC at your office, and suppose that in that office exists an intranet with sensitive information at http://intranet.company.com which is only accessible from the local network. If the cross domain policy wouldn't exists, www.evil.com could made ajax requests to http://intranet.company.com, using your browser as a reverse proxy, and send that information to www.evil.com with another Ajax request.

This one of the reasons of the restriction I guess.

like image 67
Gabriel Jürgens Avatar answered Oct 28 '22 12:10

Gabriel Jürgens


If you're the author for myblog.com and you make an XHR to facebook.com, should the request send your facebook cookie credentials? No, that would mean that you could request users' private facebook information from your blog.

If you create a proxy service to do it, your proxy can't access the facebook cookies.

You may also be questioning why JSONP is OK. The reason is that you're loading a script you didn't write, so unless facebook's script decides to send you the information from their JS code, you won't have access to it

like image 29
Juan Mendes Avatar answered Oct 28 '22 12:10

Juan Mendes