{"id":1995,"date":"2015-02-02T15:07:00","date_gmt":"2015-02-02T13:07:00","guid":{"rendered":"http:\/\/hasselba.ch\/blog\/?p=1995"},"modified":"2016-10-30T20:12:26","modified_gmt":"2016-10-30T18:12:26","slug":"rest-security-same-origin-policy-cors","status":"publish","type":"post","link":"https:\/\/hasselba.ch\/blog\/?p=1995","title":{"rendered":"REST & Security: Same-Origin Policy \/ CORS"},"content":{"rendered":"

The „Same-orginin policy<\/em>„<\/a> is an important concept for protecting web applications. In short, only resources from the same domain are allowed, everything else is permitted<\/del> denied. To allow access other domains in your application, you have to enable CORS<\/em>„<\/a>, a tutorial how to enable this on a Domino server<\/a> was written by Mark Barton a while ago.<\/p>\n

It works fine for protecting an applications against DOM manipulations and\/or injection of malicous script code, but this client side security restriction only blocks the response<\/span> from the server. The client still sends a request<\/span>, and this can be problematic for the security of a RESTful application.<\/p>\n

To clearify this, here is a short example:<\/p>\n

I have created a small HTML page containing an Ajax request to load some code of a XPages-based REST service on another server. This file is hosted on my hasselba.ch server, and wants to access some data on my local Domino server:<\/p>\n

<html>\r\n\u00a0\u00a0 <body>\r\n\u00a0\u00a0 <h1>SOP Demo<\/h1>\r\n\u00a0\u00a0 <script>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 var xhr =(window.XMLHttpRequest)?new XMLHttpRequest():\r\n          new ActiveXObject(\"Microsoft.XMLHTTP\");\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 xhr.open(\"GET\",\"http:\/\/localhost\/REST.nsf\/SOPDemo.xsp\/foo\/\",true);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 xhr.withCredentials = true;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 xhr.send();\r\n\u00a0\u00a0 <\/script>\r\n\r\n\u00a0\u00a0 <\/body>\r\n<\/html><\/code><\/pre>\n
The „withCredential<\/em>“ options ensures that an eventually existing Domino session is used when performing the request.<\/p>\n
The REST service on my Domino server prints the actual username to the console:<\/p>\n
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<xp:view\r\n\u00a0\u00a0 \u00a0xmlns:xp=\"http:\/\/www.ibm.com\/xsp\/core\"\r\n\u00a0\u00a0 \u00a0xmlns:xe=\"http:\/\/www.ibm.com\/xsp\/coreex\"\r\n\u00a0\u00a0 \u00a0rendered=\"false\">\r\n\u00a0\u00a0 \u00a0\r\n\u00a0\u00a0 \u00a0<xe:restService\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0id=\"restService\"\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0pathInfo=\"foo\">\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0<xe:this.service>\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0<xe:customRestService\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0requestContentType=\"application\/json\"\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0requestVar=\"data\">\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0 \r\n\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0         <xp:this.doGet>\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0       <![CDATA[#{javascript:\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0      print(\"Hello '\" + session.getEffectiveUserName() + \"'\");\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0      \"{}\"\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0       }]]>\r\n                <\/xp:this.doGet>\r\n\u00a0\u00a0 \u00a0         <\/xe:customRestService>\r\n         <\/xe:this.service>\r\n     <\/xe:restService>\r\n<\/xp:view>\r\n<\/code><\/pre>\n
When opening this page, the response of the request is blocked, and that’s what the „Same-origin policy<\/em>“ was made for: If the response contains malicious Javascript code, this script won’t get executed.<\/p>\n
\"01\"<\/a><\/p>\n
The client is protected, but what about the request send to the server?<\/p>\n
\"02\"<\/a><\/p>\n
The request was made with my credentials, and that is why the „Same origin-policy<\/em>“ does not protect RESTful applications: If a victim visits my page, I am able perform malicious requests against a RESTful webservice in his context.<\/p>\n","protected":false},"excerpt":{"rendered":"
The „Same-orginin policy„ is an important concept for protecting web applications. In short, only resources from the same domain are allowed, everything else is permitted denied. To allow access other domains in your application, you have to enable „CORS„, a … Weiterlesen →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,61,35,81],"tags":[60,90,5,12],"class_list":["post-1995","post","type-post","status-publish","format-standard","hentry","category-javascript","category-rest","category-security","category-web","tag-rest","tag-security","tag-ssjs","tag-web"],"_links":{"self":[{"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1995","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1995"}],"version-history":[{"count":11,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1995\/revisions"}],"predecessor-version":[{"id":2277,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1995\/revisions\/2277"}],"wp:attachment":[{"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}