On Thu, Aug 23, 2012 at 4:02 PM, Brandon Murray <bmurmis...@gmail.com>wrote:
> I have taken a closer look at easyXDM, specifically the usage of ajax
> along with the cors/index.html. I have useAccessControl turned on and have
> set my trusted origins... works great! Though, I'm a little confused the
> usage of cors.
> First, When making a call from the client (domain1) to domain2, there is
> no origin header sent with the request nor is there an option request... my
> assumption is that since the call is being make from the iframe, the
> browser (in my case firefox) treats it as a regular ajax request so none of
> those headers get added. In certain scenarios it appears that there is an
> attempt to add the origin header (not when using XmlHttpRequests). There
> really doesn't appear to be any usage of cors from what I can tell.
It doesn't as this is a shim for use when CORS is not available - but it
follows the CORS specification (to some degree).
> Also, Looking at the cors/index.html file, the useAccessControl checks are
> being made AFTER the request is made and changing the response if the
> origin is untrusted. Seems like this should be done before the request is
> made or in readystate==2. Why allow and untrusted origin to submit a
It is impossible to disallow the request being made in the first place (img
request, form post etc), and in order for us to enforce any form for domain
restriction, we need the list of domains allowed - this per the CORS
specification passed back in the 'access-control-allow-origin' header - so,
a request has to be made either way.
> That being said, how can I be sure that the client making the request is
> really a trusted origin? Couldn't someone just simply instantiate easyXdm,
> tampering of the urls make xdm calls to my domain? Perhaps I'm missing
> something here, but any clarification would greatly be appreciated.
One of the properties of easyXDM is that it's origin property is
non-spoofable, so you can tamper all you want with the urls - if you find a
way to spoof the origin AND have data returned then I'd love to hear about