Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Wouldn't have been simpler to just discard cookies for cross-domain XHR?

I keep fighting with strange limitations when developing for the web. One of them is the same-origin limitation for AJAX requests and I'm asking myself if instead of blocking requests to cross-domain resources wouldn't have been simpler to just discard cookies when making them (to avoid misuse of authentication credentials of the browser session).

Cookies are a facility but quite not essential (for example you can generate pages with cookies in the request URLs if you need to keep context), while instead cross-domain blocking is quite annoying to circumvent.

There is also something that seems to me VERY strange from a logical point of view in blocking a specific subject to access a resource that literally everyone else in the whole world can access without authentication.

I'm wondering if there's some real technical reason for which same origin policy is really the best solution.

Note that I'm asking just out of curiosity... I'm perfectly aware that in the web age horrible solutions can get crystallized in standards before experience is given the possibility to show if they are good or bad (quite a big part of Javascript, for example).

like image 453
6502 Avatar asked Oct 28 '12 16:10

6502


People also ask

Can XHR set cookie?

Note: XMLHttpRequest responses from a different domain cannot set cookie values for their own domain unless withCredentials is set to true before making the request, regardless of Access-Control- header values.

Can cookies be used across domains?

Cookies are used to remember information about your preferences and to keep track of your activities on the website. Cookies can be shared across domains, which means that a website from one domain can access the cookies from another domain.

Are cookies sent cross origin?

With Strict , the cookie is sent only to the same site as the one that originated it; Lax is similar, except that cookies are sent when the user navigates to the cookie's origin site, for example, by following a link from an external site; None specifies that cookies are sent on both originating and cross-site requests ...

What are cross domain issues?

Cross domain issues arise when data from one domain is used in another domain, without the proper permissions. Domains are used to keep data separate and secure. Cross domain issues arise when data from one domain is used in another domain, without the proper permissions.


1 Answers

You're assuming that all authentication credentials are cookie-based, which isn't true. The browser might authenticate to another site using PKI certificates, or the site might trust the client just because it has a certain IP address on a trusted network. That's not something the client can just turn off for an individual request.

However, there's work being done on standardizing a way for sites to allow cross-origin requests to their resources. If a site knows that some of its content is public and no clients have special privileges, it can set an HTTP header to tell browsers that scripts loaded from other sites are allowed to see that content.

There is also something that seems to me VERY strange from a logical point of view in blocking a specific subject to access a resource that literally everyone else in the whole world can access without authentication.

The browser doesn't know that the whole world can access the resource without authentication. It doesn't know whether it sees the same content as other clients when accessing a given URL. What it's blocking is access to its own, potentially unique, view of the remote resource.

like image 116
Wyzard Avatar answered Oct 11 '22 23:10

Wyzard