Cross Origin Communication (CORS)
25
unlocking the secrets
-
Upload
ray-nicholus -
Category
Software
-
view
492 -
download
2
description
What is the same-origin policy, and how can you get around it?
Transcript of Cross Origin Communication (CORS)
unlockingthesecrets
don'tmakecross-originrequests
ProtectionforserverProtectionforclients
Netscapedays-1999?RFC6454
64546454
Allbrowsers:javascript*java*flash
There'sIE,andthenthere'severyoneelse...
<scriptsrc="..."/><img/videosrc="..."/><ahref="..."/>formsubmissioniframeembeddedpages
Javascriptcannotbeusedtoaccessmostiframeproperties/content
e.g.:bankingappw/ads
HTML5WebMessaging(window.postMessage)
WebMessaging(traditionalendpoint)303redirect(S3endpoint)
Javascriptaccesstoproperties,andtheabilitytoexport.
e.g.modifyinganimage&cachingit
1. crossoriginattribute&Access-Control-Allow-Originheader(CORS)2. Proxying
*Browserswillsimplynotsendanycross-originrequest
e.g.mini-stackoverflow
CORSspecJSONP
Allowsforcross-originajaxrequests:serversmustopt-infullsupportinallmodernbrowsersIE9/8havepartialsupportnosupportforIE7&older
XMLHttpRequestmethods:GET,POST,HEADheaders:Accept,Accept-Language,Content-Language,Content-TypeContent-Type:text/plain,application/x-www-form-urlencoded,multipart/form-datarequestincludesanOriginheaderresponsemustincludeanAccess-Control-Allow-OriginheaderresponseoptionallyincludesAccess-Control-Expose-Headers
XDomainRequestIE8-9methods:GET,POST,HEADcannotsendANYheaders!requestincludesanOriginheaderresponsemustincludeanAccess-Control-Allow-Originheadernoaccesstoresponseheadersnoaccesstoresponsestatus
browser-preflightedXMLHttpRequestmethods:DELETE,PUTorGET/POSTw/non-simpleheadersorContent-Typebrowser "preflights" request (OPTIONS) w/ Origin, Access-Control-
Request-Method,&Access-Control-Request-HeadersheadersservermustrespondwithAccess-Control-Allow-Origin,Access-Control-
Allow-Methods,&Access-Control-Allow-Headersheadersbrowserthensendstheoriginalrequestw/Originheaderservermustrespondw/Access-Control-Allow-Originheader
Notsupported,butworkaroundsavailableforsomecases:DELETE/PUTmethod->POSTw/_methodparam
XDomainiframelibrary
![Robust JavaScript [50min] · iframe sandbox same-origin policy CORS content security policy html sanitization. A software architecture view of security ... Modularity: avoid needless](https://static.fdocuments.us/doc/165x107/5f447aebcf0dce16702e7afc/robust-javascript-50min-iframe-sandbox-same-origin-policy-cors-content-security.jpg)
