Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • CORS Essentials
  • Toc
  • feedback
CORS Essentials

CORS Essentials

By : Gunasundaram
3 (1)
close
CORS Essentials

CORS Essentials

3 (1)
By: Gunasundaram

Overview of this book

This book explains how to use CORS, including specific implementations for platforms such as Drupal, WordPress, IIS Server, ASP.NET, JBoss, Windows Azure, and Salesforce, as well as how to use CORS in the Cloud on Amazon AWS, YouTube, Mulesoft, and others. It examines limitations, security risks, and alternatives to CORS. It explores the W3C Specification and major developer documentation sources about CORS. It attempts to predict what kinds of extension to the CORS specification, or completely new techniques, will come in the future to address the limitations of CORS Web developers will learn how to share code and assets across domains with CORS. They will learn a variety of techniques that are rather similar in their method and syntax. The book is organized by similar types of framework and application, so it can be used as a reference. Developers will learn about special cases, such as when a proxy is necessary. And they will learn about some alternative techniques that achieve similar goals, and when they may be preferable to using CORS
Table of Contents (10 chapters)
close
close
Preface
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Free Chapter
1
1. Why You Need CORS
chevron up
1. Why You Need CORS
The same-origin policy
Considering the origin of entities
Commonly allowed cross-origin resource sharing
Permissions required by JavaScript
How CORS works – the header and the request
CORS with Preflight
Troubleshooting and debugging CORS
CORS with jQuery
Enabling CORS globally with server configuration
Alternatives to CORS
Summary
2
2. Creating Proxies for CORS
2. Creating Proxies for CORS
Proxies and the World Wide Web
What is a proxy server?
Reasons to use a proxy
Creating a proxy server with Google App Engine
Summary
3
3. Usability and Security
3. Usability and Security
CORS usability
Enhancing security in CORS
Summary
4
4. CORS in Popular Content Management Frameworks
4. CORS in Popular Content Management Frameworks
Incoming CORS requests
SAAS or self-hosted?
CORS in WordPress
CORS in Drupal
CORS in Joomla!
CORS in Adobe Experience Manager
Summary
5
5. CORS in Windows
5. CORS in Windows
Incoming CORS requests
How to set the Access-Control-Allow-Origin header globally in Windows IIS Server
CORS in the ASP.NET Web API
CORS in Windows Communication Foundation
CORS in Windows browsers – Internet Explorer and Edge
Summary
6
6. CORS in the Cloud
6. CORS in the Cloud
CORS requests in cloud APIs
CORS in Amazon Simple Storage Service (S3)
Using CORS in Google Cloud Storage
Authenticated access to Google APIs with CORS
CORS in IBM Cloudant
CORS in Windows Azure Storage
CORS in Box API
CORS in the Dropbox API
Summary
References
7
7. CORS in Node.js
7. CORS in Node.js
JavaScript frameworks are very popular
Introduction to Node.js
JavaScript frameworks that work with Node.js
CORS in Express.js
CORS npm for Express.js using Connect.js middleware
CORS in AngularJS
CORS in Backbone.js
Node.js and JavaScript frameworks are evolving rapidly
Summary
References
8
8. CORS Best Practices
8. CORS Best Practices
Enabling API to public CORS requests
Limiting API to allow CORS requests to a whitelisted set of origins
Protecting against cross-site request forgery (CSRF)
Summary
9
Index
Index

Alternatives to CORS

There are other ways to work around the same-origin policy. CORS provides better basic security, error handling, preflight, and other methods that make it a superior choice for cross-origin sharing compared to these alternatives

Alternative methods include the following:

  • JSON-P
  • WebSocket
  • window.postMessage

JSON-PJSONP (later dubbed JSON-P, or JSON-with-padding) was proposed in 2005 as a way to use the <script> tag to request data in the JSON format across domains.

The term "padding" refers to a callback function, which is defined as a query parameter attached to the <script> tag. The callback function is defined on the target domain. The <script> tag on the local domain loads a function or service on the target domain. When the script executes, the function on the target domain is called, and the data returned from the target domain is passed to the callback function on the local domain.

There is no official definition or specification for JSON-P.

Example of JSON-P

  1. A callback function is defined on the local domain:
    function handle_data(data) {
   // something is done to the data received from the Target Domain
}
  2. A <script> tag on the local domain loads the script (http://targetdomain/web/service) from the target domain and passes the results to the callback function handle_data on the local domain:
    <script type="application/javascript" src="http://targetdomain/web/service?callback=handle_data" </script>

Using JSON-P – limitations and risks

  • JSON-P does not use AJAX XHR; therefore, error detection and handling are not possible until the data is passed to the callback function.
  • Trust in the target domain is implicit. If the target domain is compromised, the local domain becomes vulnerable as well. JSON-P is subject to cross-site request forgery (CSRF or XSRF) attacks because the <script> tag is not restricted by the same-origin policy. A script tag on a malicious page can request and obtain JSON data of another domain. If the user is authenticated at the endpoint domain, passwords or other sensitive data may get compromised.
  • Rosetta flash uses adobe flash player to exploit servers with a vulnerable JSON-P endpoint. It causes the Adobe Flash Player to accept a flash applet as originating from the same domain.

Proposed JSON-P validation standard

The standard would make JSON-P safer.

  • Limit the function ("padding") reference of the JSON-P response to a single expression as a function reference or an object property function reference. A single pair of enclosing parentheses should follow the expression, with a valid and parsable JSON object inside the parentheses.

    Examples of safer JSON-P functions are as follows:

    functionName({JSON});

    obj.functionName({JSON});

    obj["function-name"]({JSON});

  • Only whitespace or JavaScript comments may appear in the JSON-P response since whitespace and comments are ignored by the JavaScript parser. The MIME-type application/json-p and/or text/json-p must be included in the requesting <script> element. The browser can require that the response must match the MIME-type.

Note

However, MIME-type application/json-p and/or text/json-p are not supported by any browser. CORS is a safer and more robust method than JSON-P for sharing resources across domains with JavaScript.

WebSocket

WebSocket provides full-duplex communication channels over a single TCP connection. The WebSocket protocol was standardized by the IETF (https://tools.ietf.org/html/rfc6455) in 2011, and the WebSocket API is a candidate recommendation by the W3C (http://www.w3.org/TR/websockets/).

WebSocket uses TCP, not HTTP; nor does it use AJAX/XHR.

Socket.io provides a framework to use WebSocket by creating a node.js server for the socket (http://socket.io/).

WebSocket handshakes

The initial handshake over HTTP sets up the connection and communicates the origin policy information.

If the handshake is successful, the data transfer continues via TCP.

WebSocket creates a two-way communication channel, where each side can, independently from the other, send data at will.

WebSocket and cross-domain resource sharing

A cross-domain WebSocket is enabled with the domain (host) header to accept/deny requests.

Risks of using WebSocket for cross-domain resource sharing

  • The header can be spoofed. In order to secure the connection, you will need to authenticate the connection by other means.
  • The same-origin policy is not observed in WebSocket; therefore, Cross-Site WebSocket Hijacking (CSWSH) is possible.
  • WebSocket does not handle standard safeguards that need to be implemented outside of the WebSocket:
    • Authentication
    • Authorization
    • Sanitization of data

The window.postMessage method

The postMessage method is part of the W3c candidate recommendation for HTML5 Web Messaging ().

postMessage allows messages between discrete documents. The documents may include an iframe embedded in a document, or any other window objects.

The postMessage method dispatches MessageEvent in the target window when a script is completed.

postMessage risks and security measures

  • Any window can send a message to any other window. An unknown sender can send malicious messages. The sender's identity can be verified using the origin and source properties. If a site you trusted gets compromised, it can send cross-site scripting messages. The syntax of the received message can be verified against an expected pattern.
  • A malicious script can spoof the location property of the window and intercept data. Similar to avoiding the wildcard in the Access-Control-Allow-Origin header in CORS, specify an exact target.

Tip

The obvious security measure is not to use postMessage and not to add any event listeners for message events if you don't expect to receive messages.

End of Section 11
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete