Cross-origin XMLHTTPRequest.withCredentials = false without CORS?
1,246 views
Skip to first unread message
Jimmy Berry
Mar 6, 2013, 1:30:10 PM3/6/13
to chromium...@chromium.org
I have done a fair bit of research on the various methods people use to get around the limitation of XMLHTTPRequest from making cross-origin requests without CORS (http://www.w3.org/TR/access-control/) and the methods for gaining aditional priviledges in order to do so. All the the workarounds require access to the domain being called which means you might as well use CORS now that it exists or are half-baked/browser specific to gain privilege. The only workable solutions seems to host a proxy server to make the requests and forward them back to the user.
Chrome extensions may request access via permissions, hopefully https://developers.google.com/chrome/apps/docs/no_crx would also allow such permissions in the future, but is currently experimental and limited. Mozilla's open web app support includes "systemXHR - Make HTTP requests without any origin restrictions." (https://developer.mozilla.org/en-US/docs/Apps/Manifest#permissions) which does the trick, but requires the app to be type privileged - An authenticated Open Web App that has been approved by an app store such as the Firefox Marketplace.
Browsers default XMLHTTPRequest.withCredentials to false when making a cross-origin request and it requires further headers to be set in CORS to allow with credentials. Given that one can host a proxy server and make the same request (ie without user credentials) why is this not available without a special setup like CORS or permissions? From a security standpoint requests can already be made with credentials using images (allows CSRF), but the calling page cannot see the resulting data. A form can also be POSTed using submit() across domains so what are the risks with allowing XMLHTTPRequests withCredentials = false?
The ability to be able to query a number of data sources to present inside of an javascript application is quite handy and seems needlessly complicated by the current setup. Additionally being able to use HTML5 Audio and other such streams from third-party hosts seems rather handy as well.
Related, my post on stackoverflow: http://stackoverflow.com/questions/15217066/request-permission-to-perform-cross-origin-xmlhttprequest
Christian Biesinger
Mar 6, 2013, 2:08:39 PM3/6/13
to boomb...@google.com, Chromium-discuss
On Wed, Mar 6, 2013 at 10:30 AM, Jimmy Berry <boomb...@google.com> wrote:
> Given that one can host a proxy server and make the
> same request (ie without user credentials) why is this not available without
> a special setup like CORS or permissions? From a security standpoint
> requests can already be made with credentials using images (allows CSRF),
> but the calling page cannot see the resulting data. A form can also be
> POSTed using submit() across domains so what are the risks with allowing
> XMLHTTPRequests withCredentials = false?
The user may have access to resources that the proxy server doesn't
> Given that one can host a proxy server and make the
> same request (ie without user credentials) why is this not available without
> a special setup like CORS or permissions? From a security standpoint
> requests can already be made with credentials using images (allows CSRF),
> but the calling page cannot see the resulting data. A form can also be
> POSTed using submit() across domains so what are the risks with allowing
> XMLHTTPRequests withCredentials = false?
have, such as intranet hosts. Access could be checked by checking IP
addresses or referrers... so, it's not generally safe to let websites
read results from arbitrary hosts.
-christian
Jimmy Berry
Mar 6, 2013, 3:25:15 PM3/6/13
to Christian Biesinger, Chromium-discuss
Thanks for the explanation, that makes sense.
So is there information on the future plans/direction for web app manifest like (crx-less in chrome) and the stuff mozilla is implementing? I have found a number of discussions surrounding the difficulties in building certain web applications without such permissions (like podcast app, data mashups) so it seems like something good to have.
Also seems odd the distinction drawn between certain permissions like allow popup or access to microphone which are done adhock as needed vs cross-origin requests to a specific domain which seem only possible via manifest or browser specific extension. The idea of a light-weight manifest that can request up-front the various permissions instead of asking for them one-by-one seems to makes sense, but I was curious if there are plans along these lines.
As a side-note it seems like suggesting the CORS access be allowed by many sites would be beneficial if the primary concern is private resources (since withCredentials is restricted to false by default). For example the web speech api cannot be requested across domains which would allow for js implementations using getUserMedia() in non-chrome browsers. Similarly the tts api provided by translate or google search results. Does that seem right?
--
Jimmy
Jimmy
Reply all
Reply to author
Forward
0 new messages