Cross Origin Ajax Requests Have Landed
by Thomas | July 6th, 2009
A year ago I mentioned that cross origin Ajax requests were coming and then got backed out of the last version of Firefox Well they are back now and they do work in Firefox 3.5 IE 8 landed similiar functionality using something called an XDR (http://msdn.microsoft.com/en-us/library/dd573303(VS.85).aspx) Of course the big question is still, is this a good thing?
Simplicity of communication rules, so I’ll just answer directly. NO this really isn’t a good thing unless you are quite careful or you make some of your living as a security consultant.
A Note on Security
So read that carefully you should determine validitiy before using script from 3rd-parties, but here is the rub, is that going to stay constant? If you look once and then just use what’s to say that source doesn’t change or gets owned and then owns you? Absolutely nothing unless you are monitoring the script for changes with some proxy. Great idea, almost never done.
I am certainly not the only one who sees this and can’t say that this type of alarm ringing is novel. In fact we have been down this path before. Flash supports similiar technology using its CrossDomain.xml file and folks like Jeremiah Grossman clearly pointed out that out in the wild quite often it is done wrong and in many cases quite wrong. Now that Firefox and other browsers are supporting it natively I think we are going to see an explosion in cross-origin calls before there is a retreat as quality and security problems explode. Though that isn’t all bad, you do usually have to exercise something to shake out the problems, just be careful!