1 of 88

Web Security

�Week 4 - Exceptions to the Same Origin Policy

Old Dominion University

Department of Computer Science

CS 433/533 Fall 2023

Michael L. Nelson <mln@cs.odu.edu>

2024-09-16

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

2 of 88

Same origin policy exceptions

From last week: There are explicit opt-in mechanisms like document.domain, fragment identifier communication, and the postMessage API
There are also automatic exceptions

Need to be aware of these!
Source of many security issues!

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

3 of 88

<img>, <script>, and CSS are

same origin policy exceptions!

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

4 of 88

Same origin policy and

ambient authority

Remember: Ambient authority is implemented by cookies
One consequence: attacker.com can embed user's real avatar from target.com:

<h1>Welcome to your account!</h1>

In the above example, the URL target.com/avatar.png is used for all accounts, with the cookie used by the server to distinguish your avatar from my avatar. This is instead of having the server include different URLs (target.com/avatar-001.png, avatar-002.png, etc.) which would make the HTML page less cacheable.

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

5 of 88

Solution: SameSite cookies

Use SameSite cookie attribute to prevent cookie from being sent with requests initiated by other sites

From target.com:

GET /avatar.png HTTP/1.1

Cookie: sessionId=1234

Referer: https://target.com/

From attacker.com:

GET /avatar.png HTTP/1.1

Referer: https://attacker.com/

if attacker.com is a phishing site, it is now a lot harder to build a convincing look-alike.

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

6 of 88

Solution: Referer header

Inspect the Referer HTTP header
Reject any requests from origins not on an "allowlist"
One gotcha: Watch out for HTTP caches!

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

7 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

8 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

9 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

10 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

11 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

12 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

13 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

14 of 88

Referer

Inspect the Referer HTTP header
Reject any requests from origins not on an "allowlist"
One gotcha: Watch out for HTTP caches!

Add a Vary: Referer header

this could create a lot of otherwise duplicate cache entries

Or, add a Cache-Control: no-store header

this could create a lot unnecessary cache misses

Another gotcha: Sites can opt out of sending the Referer header!

Defeats this whole mechanism. So, just use SameSite cookies!

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

15 of 88

Remember that forms can POST to another origin!

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

16 of 88

Cookies do not obey

same origin policy

Cookies were created before Same Origin Policy so have different security model
Cookies are more specific than Same Origin Policy

Path is ineffective because same origin pages can access each other's DOMs (recall week 2’s lecture)

Cookies are less specific than Same Origin Policy

Different origins can mess with each others cookies (e.g., attacker.odu.edu can set cookies for odu.edu)

This is why, among other reasons, we have leonline.odu.edu and not odu.edu/leoonline

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

17 of 88

We can harden or relax the

same origin policy

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

18 of 88

Revisiting what the same origin policy allows

Is site A allowed to link to site B? Yes!
Is site A allowed to embed site B? Yes!
Is site A allowed to embed site B and modify its contents? No!
Is site A allowed to submit a form to site B? Yes!
Is site A allowed to embed images from site B? Yes!
Is site A allowed to embed scripts from site B? Yes!
Is site A allowed to read data from site B? No!

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

19 of 88

Hardening the

same origin policy

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

20 of 88

Recall the Referer request header

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

21 of 88

Referer can leak info to other sites

Here's a link I only share with my friends – don't tell anyone else!!!

https://www.cs.odu.edu/~mln/teaching/cs595-s21/sooper-sekrit-product-ideas.html

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

22 of 88

Now Google knows my secret URL

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

23 of 88

Referrer-Policy response header

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

24 of 88

docs.google.com prevents your browser from leaking Referer info to non-Google Docs sites

$ curl -I https://docs.google.com/presentation/d/1NFyC1huil5uOic4ITtEUlogUqAfP8PQIpNGChtUJE7Y/edit#slide=id.gbc694ac400_0_109

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

X-Robots-Tag: noindex, nofollow, nosnippet

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: Mon, 01 Jan 1990 00:00:00 GMT

Date: Wed, 10 Feb 2021 23:09:33 GMT

Content-Length: 447525

P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Security-Policy: base-uri 'self';object-src 'self' blob:;report-uri https://docs.google.com/presentation/cspreport;script-src 'nonce-gLqphbwqOVspb3On6UUgRg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval'

Referrer-Policy: origin

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Server: GSE

Set-Cookie: NID=209=I91MVBS_rjRS743-o56cJmCDW265Pc_heOTp1mkqZoWNSD607unmBwGbJtPAqW_yuWuLB1JcnelNlusFvFPv5vbceFJ2pQyaPkF6fZEUk-M6bJv8N_ccE6xDZAId6PHIU4dvTtcbZ9S0u_5waaDSs1ExL8DZ03ddkoy3Ytag5_w; expires=Thu, 12-Aug-2021 23:09:33 GMT; path=/; domain=.google.com; HttpOnly

Set-Cookie: S=apps-presentations=JGHgefN3DDdAbjDbv_fnwWTzOMb8ogaxLXJwVGrigXg; Domain=.docs.google.com; Expires=Thu, 11-Feb-2021 00:09:33 GMT; Path=/presentation/d/1NFyC1huil5uOic4ITtEUlogUqAfP8PQIpNGChtUJE7Y; Secure; HttpOnly; SameSite=none

Set-Cookie: GFE_RTT=462; Domain=.docs.google.com; Expires=Wed, 10-Feb-2021 23:14:33 GMT; Path=/; Secure; Priority=LOW; SameSite=strict

Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

25 of 88

Policies

Examples

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

26 of 88

Change the response depending on how the user got to your site?

GET https://badguys.com/ HTTP/1.1

Referer: https://goodguys.com/somepage.html

…

Should badguys.com:

block the request?
modify the response?
offer a discount or incentive?

Cf. Cloaking

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

27 of 88

In the bad old days...

https://www.ghacks.net/2017/07/02/photobucket-alternatives-for-third-party/

photo hosting sites would check the Referer: request header to ensure that it was coming from the same site (e.g., photobucket.com)

photo hosting site would rate limit based on page views per month, etc.

average users did not know to do:

GET http://photobucket.com/winneri/someImage.jpeg

Referer: http://www.stampboards.com/viewtopic.php?t=1234

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

28 of 88

The server can’t really prevent being linked to, but it can make it frustrating for normal users

a tutorial to implement limiting 3rd party image hosting, the demos of which, ironically, no longer work:

https://alistapart.com/article/hotlinking/

many browser extensions to defeat these kinds of restrictions, here’s one:

https://github.com/Ryan-Myers/photobucket-embed-fix

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

29 of 88

Sites can control

who embeds them

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

30 of 88

Clickjacking!

attack site is

embedding a frame from ebay
using CSS to shift the ebay frame so the “buy it now” button lines up with the “FREE” button from the attacker
the ebay frame is “on top”, but is invisible (opacity=0), so clicking “FREE” is really clicking “buy it now”

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

31 of 88

Frame busting!

if (window.top.location != window.location) {

window.top.location = window.location

}

</script>

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

32 of 88

Turns out that doesn’t work...

https://seclab.stanford.edu/websec/framebusting/

Takeaway: Don’t rely on .js to bust out of frames because the framing (attacker) site can counter your .js. Instead, use HTTP headers to specify framing preferences and let the browser enforce those policies.

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

33 of 88

X-Frame-Options response header

$ curl -IL www.google.com

HTTP/1.1 200 OK

Content-Type: text/html; charset=ISO-8859-1

P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."

Date: Thu, 11 Feb 2021 00:03:43 GMT

Server: gws

X-XSS-Protection: 0

X-Frame-Options: SAMEORIGIN

Transfer-Encoding: chunked

Expires: Thu, 11 Feb 2021 00:03:43 GMT

Cache-Control: private

Set-Cookie: 1P_JAR=2021-02-11-00; expires=Sat, 13-Mar-2021 00:03:43 GMT; path=/; domain=.google.com; Secure

Set-Cookie: NID=209=LV-khsyfMtVPfMrFmpjNu373gMzk4jg4TsyvZ346nnZAu9zLyz1vVSFOcHfTWOeVCUrEXI-XM_9XaeZ-1O8yWZKxCwxQQEBrdIgrV4ah1XPhJwYS9nQjn3B1utiTPCpGYuF3b8pFvQq57Y2LtHxVrzsFSz2IvGgO1e5w6Tt7Tdw; expires=Fri, 13-Aug-2021 00:03:43 GMT; path=/; domain=.google.com; HttpOnly

Deprecating the "X-" Prefix and Similar Constructs in Application Protocols

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

34 of 88

Unclear specs are bad...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

https://datatracker.ietf.org/doc/html/rfc7034

not present = “anyone can frame me”

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

35 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

36 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

37 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

38 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

39 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

40 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

41 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

42 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

43 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

44 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

45 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

46 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

47 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

48 of 88

It’s turtles all the way down...

Until recently, browsers performed a check only against top-level window
Thus, attackers could set up a framing chain which would be allowed:

target.com embeds attacker.com embeds target.com
this could happen with evil or hacked ad sites!

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

49 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

50 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

51 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

52 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

53 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

54 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

55 of 88

yikes!

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

56 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

57 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

58 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

59 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

60 of 88

better

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

61 of 88

Replacement for X-Frame-Options:

Content-Security-Policy: frame-ancestors

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

More on the Content-Security-Policy: response header in later weeks.

Spoiler: Good news: CSP is rich and powerful! Bad news: CSP is rich and powerful!

same as X-Frame-Options: deny

allow frames from two origins:

where it’s being served

(self, aka sameorigin)

https://www.example.org/

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

62 of 88

Can we prevent a site from submitting a form to our site?

Why do this?

Prevent cross-site request forgery (CSRF; previous lecture)

How might we accomplish this?

Detect Origin header, use an allowlist
SameSite cookies
What's the difference?

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

63 of 88

Can we prevent a site from embedding images from our site?

Why do this?

Prevent hotlinking
Prevent user's logged-in avatar from showing up on other sites

How might we accomplish this?

For hotlinking: Detect Referer header, use an allowlist (not foolproof)
For avatar: Use SameSite cookies
For avatar: Use an unpredictable URL

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

64 of 88

Can we prevent a site from embedding scripts from our site?

Why do this?

Prevent hotlinking

Important notes

Scripts typically do not contain private user data
Scripts run in the context of the embedding site

How might we accomplish this?

Similar to images: detect Referer header, use an allowlist (not foolproof)

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

65 of 88

Typical cross-site script embed

d3.select('svg').selectAll('rect').data(data).enter()

</script>

Cross-site use of standard libraries (like D3) is common.

We want to encourage this kind of reuse.

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

66 of 88

Revisiting the same origin policy

Is site A allowed to link to site B? Yes!

Or no! (No is not foolproof)

Is site A allowed to embed site B? Yes!

Or no!

Is site A allowed to embed site B and modify its contents? No!
Is site A allowed to submit a form to site B? Yes!

Or no!

Is site A allowed to embed images from site B? Yes!

Or no! (No is not foolproof)

Is site A allowed to embed scripts from site B? Yes!

Or no! (No is not foolproof)

Is site A allowed to read data from site B? No!

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

67 of 88

Is site A allowed to read data

from site B?

No!
Important: embedding an image, script, or iframe is not "reading data"

We could embed images, scripts, but not read the actual raw data in them
For iframes we couldn't access the DOM to read/write it

This is precisely what we mean by "reading data":

const res = await fetch('https://leoonline.odu.edu/transcript.pdf')

const data = await res.body.arrayBuffer()

console.log(data)

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

68 of 88

What if site A and site B cooperate?

If a page cooperates, then it can share data with another site

e.g., make an iframe and use postMessage to communicate

What about for arbitrary (e.g., non-HTML) resources?

e.g., an API server that returns the current date as JSON:

{ "date": 1570552348157 }

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

69 of 88

Use case: Date API Server

Server code:

app.get('/api/date', (req, res) => {

res.send({ date: Date.now() })

})

Server response:

{ "date": 1570552348157 }

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

70 of 88

How to read the response from the client?

Ideally, site-a.com could write this code:

const res = await fetch('https://site-b.com/api/date') const data = await res.body.json()

console.log(data)

Need some way for site to specify that response is allowed to be read

Ideally, HTTP response could specify an HTTP header indicating that reading this data is allowed
Challenge: can we do it without an HTTP header?

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

71 of 88

Using <script> for cross-site communication

Goal: site-a.com wants to read data from a cooperating site-b.com
What if we requested data using a <script> tag?

<script> is not subject to the Same Origin Policy

Remember: Cannot read data from a cross-origin script!

But, the contents will be treated as JavaScript and executed
Can we use this somehow?

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

72 of 88

Naive idea

Add a script element to site-a.com's HTML:

Response from site-b.com/api/date:

{ "date": 1570552348157 }

Problems:

Not quite valid JavaScript
Script can be executed and results observed (i.e., rendered), but contents can’t be read by a script at site-a.com

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

73 of 88

JSONP: JSON with Padding

Add a script to site-a.com:

function handleTime (data) {

console.log('got the date', data.date)

}

</script>

Response from site-b.com/api/date?callback=handleTime

handleTime({ "date": 1570552348157 })

site-a.com: I would like to access your response in a function I'm choosing to call handleTime(). Please name it that.

site-b.com: I hear you loud and clear, and 've named my little Javascript response accordingly.

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

74 of 88

Downsides of JSONP

From site-a.com's perspective:

Need to write additional code to support cross-origin requests
Need to be careful: Some valid JSON strings are not legal JavaScript
Only want to get data from site-b.com, but need to give site-a.com the ability to run arbitrary JavaScript from site-b.com – yikes!

From site-b.com's perspective:

Need to sanitize user-provided callback argument (see upcoming "reflected file download attack")

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

75 of 88

Cross-Origin Resource Sharing (CORS)

site-b.com allows origin https://site-a.com to read data:

Access-Control-Allow-Origin: https://site-a.com

site-b.com allows any origin to read data:

Access-Control-Allow-Origin: *

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

76 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

77 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

78 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

79 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

80 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

81 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

82 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

83 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

84 of 88

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

85 of 88

CORS version of the Date API

Server code:

app.get('/api/date', (req, res) => {

res.set('Access-Control-Allow-Origin', '*')

res.send({ date: Date.now() })

})

Server response:

{ "date": 1570552348157 }

this is the server (site-b.com) telling all browsers: “it’s cool if anyone reads this data -- there’s nothing private or protected in the response”

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

86 of 88

Ensuring private data returned by an authenticated API route isn't read by other sites?

Don't set Access-Control-Allow-Origin header (no fetch read)
Don't return data in JSONP format (no <script> read)
Just return JSON

JSON like { "date": 1570552348157 } can't be read by <script>
JSON response will never be valid JavaScript ...right?
Or even if it is, it's not assigned to a variable so it's inaccessible ...right?

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

87 of 88

Real world CORS example

% curl -isL memgator.cs.odu.edu/timemap/json/http://www.odu.edu/ | head -20

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: Link, Location, X-Memento-Count, Server

Content-Type: application/json

Date: Thu, 11 Feb 2021 17:42:30 GMT

Server: MemGator/1.0-rc8

X-Memento-Count: 5116

Transfer-Encoding: chunked

{

"original_uri": "http://www.odu.edu/",

"self": "https://memgator.cs.odu.edu/timemap/json/http://www.odu.edu/",

"mementos": {

"list": [

{

"datetime": "1996-12-21T05:13:52Z",

"uri": "https://web.archive.org/web/19961221051352/http://odu.edu:80/"

{

"datetime": "1997-12-11T00:24:13Z",

[much more to the response, this is only the first 20 lines]

These two headers are readable by scripts running at any origin

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh

88 of 88

The other two headers

% curl -I https://memgator.cs.odu.edu/timegate/http://www.odu.edu/

HTTP/1.1 302 Found

Server: nginx/1.18.0 (Ubuntu)

Date: Wed, 20 Sep 2023 18:03:13 GMT

Content-Type: text/html; charset=utf-8

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: Link, Location, X-Memento-Count, Server

Link: <http://www.odu.edu/>; rel="original", <http://archive.md/20120805114200/http://www.odu.edu/>; rel="first memento"; datetime="Sun, 05 Aug 2012 11:42:00 GMT", <https://wayback.archive-it.org/all/20230826045613/http://odu.edu/>; rel="prev memento"; datetime="Sat, 26 Aug 2023 04:56:13 GMT", <https://web.archive.org/web/20230918165416/https://www.odu.edu/>; rel="last memento"; datetime="Mon, 18 Sep 2023 16:54:16 GMT", <https://memgator.cs.odu.edu/timemap/link/http://www.odu.edu/>; rel="timemap"; type="application/link-format", <https://memgator.cs.odu.edu/timemap/json/http://www.odu.edu/>; rel="timemap"; type="application/json", <https://memgator.cs.odu.edu/timemap/cdxj/http://www.odu.edu/>; rel="timemap"; type="application/cdxj+ors", <https://memgator.cs.odu.edu/timegate/http://www.odu.edu/>; rel="timegate"

Location: https://web.archive.org/web/20230918165416/https://www.odu.edu/

Vary: accept-datetime

These two headers are readable by scripts running at any origin

ODU CS 433/533 Web Security Fall 2024 mln@cs.odu.edu

Based on Stanford CS 253 by Feross Aboukhadijeh