The presentation tells about performing cross domain ajax request. Subject included principles of preflight requests and limitations of cross origin resource sharing (CORS) policy. You will be able to find implementation examples for frontend (JavaScript, jQuery, AngularJS) and for backend (.Net, Ruby on Rails). Browser compatibility is covered in section ‘Limitation in IE 8,9‘ and there shown possible workarounds. And finally there are couple words about Content Security Policy – the latest approach in Web Application Security.
10. What’s all about?
● Same-origin policy
● Cross domain requests use-cases
● Making requests with XHTTPRequest
● CSRF attacks
● Simple and not-so-simple requests
● Cross-domain limitations & Access Control
● Back-end implementation examples
● Limitation in Internet Explorer 8, 9
● Workarounds (proxy, JSONP)
● Content Security Policy
11. • Only GET, HEAD or POST
• No custom headers
• Content-Type only
application/x-www-form-urlencoded,
multipart/form-data, or text/plain
• All other will have
preflighted request
Not-so-simple and
simple requests
http OPTIONS (Origin: http://example.com:81)
200 Access-Control-Allow- ...
direct GET/POST/PUT/DELETE request
as allowed by access headers
preflightedapplication
12. • Request always contains an
Origin
• Allow-Origin can be * for
read requests
• For modify requests it should
be set manually
• Allow-Origin can’t be * with
Allow-Credentials: true
Access-Control
headers
Origin: origin
Access-Control-Request-Method: put
Access-Control-Request-Headers: …
Access-Control-Allow-Origin: origin | *
Access-Control-Max-Age: 300
Access-Control-Allow-Credentials: bool
Access-Control-Allow-Methods: put, get
Access-Control-Allow-Headers: …
Access-Control-Expose-Headers: …
preflighted
requestresponse
http://www.html5rocks.com/en/tutorials/cors/
13. • Have white list of origins
• If not possible use X-
CSRF-Token
Prevent attacks
set header X-CSRF-Token
previous
request
next
request
return X-CSRF-Token
server
validation
server response with new X-CSRF-
Token
http://mircozeiss.com/using-csrf-with-express-
and-angular/
14. What’s all about?
● Same-origin policy
● Cross domain requests use-cases
● Making requests with XHTTPRequest
● CSRF attacks
● Simple and not-so-simple requests
● Cross-domain limitations & Access Control
● Back-end implementation examples
● Limitation in Internet Explorer 8, 9
● Workarounds (proxy, JSONP)
● Content Security Policy
17. • Most probably you will
never need it, but in case
flowchart is under link
below
Manual
implementation
http://www.html5rocks.com/en/tutorials/cors/
18. What’s all about?
● Same-origin policy
● Cross domain requests use-cases
● Making requests with XHTTPRequest
● CSRF attacks
● Simple and not-so-simple requests
● Cross-domain limitations & Access Control
● Back-end implementation examples
● Limitation in Internet Explorer 8, 9
● Workarounds (proxy, JSONP)
● Content Security Policy
19. • IE ≤ 7 is not a browser
• IE10+ is already a browser
• IE8-9 can be handled with
XDomainRequest
Most loved browser
20. Limitation in Internet Explorer 8, 9
Feature detection
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
//"withCredentials" only exists on XMLHTTPRequest2 objects
xhr.open(method, url, async, user, password);
} else if (typeof XDomainRequest != "undefined") {
xhr = new XDomainRequest();
xhr.open(method, url);
} else {
//Otherwise, CORS is not supported by the browser
xhr = null;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
21. 1. The target URL must be accessed using only the methods GET and
POST
2. No custom headers may be added to the request
3. Only text/plain is supported for the request's Content-Type header
4. No authentication or cookies will be sent with the request
5. Requests must be targeted to the same scheme as the hosting page
6. The target URL must be accessed using the HTTP or HTTPS protocols
7. Requests targeted to Intranet URLs may only be made from the Intranet
Zone
Limitation in Internet Explorer 8, 9
Things to remember
http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx