RE: [WEB SECURITY] AJAX load content from different hosts/sites?

["Hoffman, Billy" <billy.hoffman@xxxxxx>]

You cannot use XMLHttpRequest to access content on other domains. (Actually there is a crazy way with document.domain and subdomains, but it's a bad idea so).

How you should request and handle 3rd party content depends on what you are doing with it.

If you simply want to display content from multiple sites to the user in a page and not have that content interact with each other, use iframe jails.

If content you have needs to interact with content they have, you have 2 options:
-Remote scripting (using <SCRIPT SRC>). Because this relies on using callback functions, etc, this only works if you control the 3rd party site or they have specifically set up an API for you. Arbitrary that has not already been wrapped in a JavaScript transport layer by the owner will not be accessible.

-Ajax Proxies (aka Ajax gateways, Ajax application proxies, etc). This is fairly common. You open a webservice on your web server why then requests the 3rd party resources you need. Don't deploy something like ajaxproxy.php?fetch="http://site.com";. Deliberately hardcode the websites you will be contacting inside the server-side code of the Ajax proxy webservice. Also, you may still need to use iframe jails, depending on the content. It's easy to mess this up if you aren't careful.

Outside of pure client-side JavaScript, you have two options:

Use a hybrid of Flash and JavaScript. You can leverage Flash's features to access Flash resources on 3rd party sites which is secured using Flash cross domain policies (crossdomain.xml and System.security.allowDomain()). Please note this also exposes access to Local Storage objects created other Flash

Request all the content from 3rd parties on your web server and integrate it all into the web page before returning it to the user. In words, fetch all 3rd party content on the page load. This isn't very "Ajaxy."

All of this is covered extensively in Chapter 11 of the book Ajax Security.

Hope that helps,

Billy Hoffman
--
Manager, HP Security Labs
HP Software
Phone: 678-781-4800
Direct: 678-781-4845
http://www.hp.com


-----Original Message-----
From: Koen Van Impe [mailto:koen.vanimpe@xxxxxxxxx]
Sent: Tuesday, January 22, 2008 6:14 PM
To: Mattias Ahnberg
Cc: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] AJAX load content from different hosts/sites?

Mattias Ahnberg wrote:
> I just put the .js files on the other site (since I control
> them both) and included it from there, thus circumventing the
> same origin policy. It works well for my situation.

If you're thinking about "exchanging" data / APIs between webapps on two
different sites then SOAP might be the way to go ... but then again, it
all depends on your specific needs.
PM me if you want a simple SOAP skelet-sample.

Good luck,

Koen
--
Koen Van Impe
koen.vanimpe@xxxxxxxxx


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]