javascript - XMLHttpRequest Same Origin Policy - Stack Overflow

admin管理员组

文章数量:1290422

I spent the last 3 days studying how to make a cross domain request using XMLHttpRequest. The best alternative is indeed with JSONP which I am already using.

But I still have a question that I could not find answer nowhere. I read hundreds of posts (including SOs) and nobody has a good liable answer (with nice reference). Hope someone here can help.

Said that, I read in many websites that due to security reasons I cannot make an Ajax request from domain aaa to bbb and get the data I want. It's very clear and I have no question about that. BUT the problem is when I run the code below in my localhost (so my domain is "localhost" and I should not me able to request any data from another domain).

xhReq = new XMLHttpRequest();
xhReq.open("GET","",true);
xhReq.send(null);

When I inspect the Firebug Net Tab I realize that the request was not blocked! It was clearly requested. I could not believe. So I created a file in the domain/log.php where I could log any request that hit my domain. Surprisingly all the requests I was firing localhost were hitting my domain. When I tried to fetch the response I really could not get it due the same origin policy of my Chrome and FIrebug browser. But I was reallyl surprised that the request really hit the webserver despite I could no manipulate the responde.

More surprisingly is that if domain/log.php generates a huge responde with like 1MB my firebug showed me that the browser does download ALL th 1MB from the webserver, and at the end it shows a message "Access denied" as expected. So why download all the file if the same origin policy forbids that data to be read.

Finally, I makes me amazed, is that all the websites and specifications I read says very CLEAR that the request is blocked using Ajax when the target domain does not match the source domain. But clearly, with my experiment, the requests are being pleted, despite I cannot have access to the response data.

What makes me upset is that it could be open a BIG security hole, in which a website with thousands of views everyday could run this 3 line code and cause a HUGE Ddos attack in an unfriendly website just making the users request a page in another website in small intervals since the browser will not block the request.

I tested this script in IE 7, 8 and 9 and Chrome latest and Firefox latest and the behaviour is the same: the request is done and the browser downloads all the response while not making it avaiblable to do SOP.

Hope someone can explain me why the specs are so wrong about it or what I am understanding wrong!

I spent the last 3 days studying how to make a cross domain request using XMLHttpRequest. The best alternative is indeed with JSONP which I am already using.

But I still have a question that I could not find answer nowhere. I read hundreds of posts (including SOs) and nobody has a good liable answer (with nice reference). Hope someone here can help.

Said that, I read in many websites that due to security reasons I cannot make an Ajax request from domain aaa. to bbb. and get the data I want. It's very clear and I have no question about that. BUT the problem is when I run the code below in my localhost (so my domain is "localhost" and I should not me able to request any data from another domain).

xhReq = new XMLHttpRequest();
xhReq.open("GET","http://domain.?parameter",true);
xhReq.send(null);

When I inspect the Firebug Net Tab I realize that the request was not blocked! It was clearly requested. I could not believe. So I created a file in the domain./log.php where I could log any request that hit my domain. Surprisingly all the requests I was firing localhost were hitting my domain.. When I tried to fetch the response I really could not get it due the same origin policy of my Chrome and FIrebug browser. But I was reallyl surprised that the request really hit the webserver despite I could no manipulate the responde.

More surprisingly is that if domain./log.php generates a huge responde with like 1MB my firebug showed me that the browser does download ALL th 1MB from the webserver, and at the end it shows a message "Access denied" as expected. So why download all the file if the same origin policy forbids that data to be read.

Finally, I makes me amazed, is that all the websites and specifications I read says very CLEAR that the request is blocked using Ajax when the target domain does not match the source domain. But clearly, with my experiment, the requests are being pleted, despite I cannot have access to the response data.

What makes me upset is that it could be open a BIG security hole, in which a website with thousands of views everyday could run this 3 line code and cause a HUGE Ddos attack in an unfriendly website just making the users request a page in another website in small intervals since the browser will not block the request.

I tested this script in IE 7, 8 and 9 and Chrome latest and Firefox latest and the behaviour is the same: the request is done and the browser downloads all the response while not making it avaiblable to do SOP.

Hope someone can explain me why the specs are so wrong about it or what I am understanding wrong!

• javascript
• ajax
• xmlhttprequest

Share Improve this question Follow asked Oct 30, 2013 at 3:44 SamulSamul 2,07955 gold badges2828 silver badges5252 bronze badges 4

• Nice question. Have no idea why the request hit the external domain. I did a test here and as you, the request was pleted however I could not fetch the response . Hope someone helps. – amandanovaes Commented Oct 30, 2013 at 3:48
• Can you check whether domain. has CORS enabled.... but if so IE should not work... any way can you confirm – Arun P Johny Commented Oct 30, 2013 at 4:10
• @ArunPJohny no, the CORS is not enabled. It's an example site. You can change the domain. to any domain and you will see in Firebug or Chrome Net Console that the request is pleted with no error. It's clear that this is not a bug cause all the browser I tested behave the same way, but why does the specification says that the request "is blocked" for cross domain ajax request. – Samul Commented Oct 30, 2013 at 15:56
• 1 I just want you to know that I spent the last hours making several tests and in all cases the request succeeds and hits the server! Really odd this! Thanks for posting this question. – amandanovaes Commented Oct 30, 2013 at 17:48

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 3

This happens because the same origin policy is applied on the client side (browser) by evaluating the following access control header values returned from the server:

• Access-Control-Allow-Origin
• Access-Control-Allow-Methods
• Access-Control-Allow-Headers

As you can see, the request must first be pleted on the server in order for the browser to inspect the returned headers. This is exactly the reason why your request execute on the server.

You can have a look at Priciples of the Same-Origin Policy by A. Barth.

See bobince's answer at a similar question:

As per XMLHttpRequest level 2, browsers allow cross-origin GETs to be sent without preflighting, but don't allow the results to be read from the response unless the remote domain opts in. There is no additional vulnerability here because you can already cause a GET to an arbitrary URL to be sent (including query string, for what it's worth) through multiple more basic interfaces.

For example you have always been able to create an element with its src set to an address on a remote domain; taking away that cross-domain ability would break a lot of the existing web.

Related:

• Caniuse
• XHR2 Spec

本文标签： javascriptXMLHttpRequest Same Origin PolicyStack Overflow