Hello,
A loyal user recently made a non-malicious JS script on his web site that performs an AJAX request to one of my scripts on my web server (cross-domain). He noticed that this request went through and was performed successfully and brought this to my attention.
How might I go about disabling cross-domain AJAX requests? I thought this wasn’t possible by default, but I guess I am mistaken.
Thanks in advanced.
It’s “legal” to make a request to another JavaScript file cross domain. While you could call it “AJAX” it’s more in the order of “I’m downloading a file from someone’s server and looking inside at the contents”.
JavaScript files are simply publicly accessible files, so can be requested as a file and executed in the client it was requested in.
In a nutshell, true cross domain AJAX requests occurs when someone attempts to retrieve data from a webservice (or similar) from a JavaScript that is not on the same domain. Normally this is something that fails because of Same-Origin Policy, and a technique called [URL=“http://en.wikipedia.org/wiki/JSONP”]JSONP needs to be used on both sides to facilitate communication.
While Same-Origin Policy isn’t foolproof, it helps reject a fair number of requests; If you really want to be super safe and make sure only scripts on your site are allowed to make AJAX requests you could implement a token system similar to the way Wordpress does it [URL=“http://markjaquith.wordpress.com/2006/06/02/wordpress-203-nonces/”]with Nonces ([URL=“http://en.wikipedia.org/wiki/Cryptographic_nonce”]Wikipedia page on Nonces)