The „Same-orginin policy„ is an important concept for protecting web applications. In short, only resources from the same domain are allowed, everything else is permitted denied. To allow access other domains in your application, you have to enable „CORS„, a tutorial how to enable this on a Domino server was written by Mark Barton a while ago.
It works fine for protecting an applications against DOM manipulations and/or injection of malicous script code, but this client side security restriction only blocks the response from the server. The client still sends a request, and this can be problematic for the security of a RESTful application.
To clearify this, here is a short example:
I have created a small HTML page containing an Ajax request to load some code of a XPages-based REST service on another server. This file is hosted on my hasselba.ch server, and wants to access some data on my local Domino server:
<html>
<body>
<h1>SOP Demo</h1>
<script>
var xhr =(window.XMLHttpRequest)?new XMLHttpRequest():
new ActiveXObject("Microsoft.XMLHTTP");
xhr.open("GET","http://localhost/REST.nsf/SOPDemo.xsp/foo/",true);
xhr.withCredentials = true;
xhr.send();
</script>
</body>
</html>
The „withCredential“ options ensures that an eventually existing Domino session is used when performing the request.
The REST service on my Domino server prints the actual username to the console:
<?xml version="1.0" encoding="UTF-8"?>
<xp:view
xmlns:xp="http://www.ibm.com/xsp/core"
xmlns:xe="http://www.ibm.com/xsp/coreex"
rendered="false">
<xe:restService
id="restService"
pathInfo="foo">
<xe:this.service>
<xe:customRestService
requestContentType="application/json"
requestVar="data">
<xp:this.doGet>
<![CDATA[#{javascript:
print("Hello '" + session.getEffectiveUserName() + "'");
"{}"
}]]>
</xp:this.doGet>
</xe:customRestService>
</xe:this.service>
</xe:restService>
</xp:view>
When opening this page, the response of the request is blocked, and that’s what the „Same-origin policy“ was made for: If the response contains malicious Javascript code, this script won’t get executed.
The client is protected, but what about the request send to the server?
The request was made with my credentials, and that is why the „Same origin-policy“ does not protect RESTful applications: If a victim visits my page, I am able perform malicious requests against a RESTful webservice in his context.
In the second sentence, I believe you meant „denied“ instead of „permitted“, didn’t you?
You are absolutly right. I have updated the post. Thank you!