Wednesday, February 20, 2008

Cross Site XHR in Firefox 3

Had a look at John Resig's blog, (the author of JQuery), and he has written up the docs for the new cross-site version of the XMLHttpRequest object that will make it's debut in Firefox 3.Its actually quite simple in its implementation. The resource being accessed by the XHR simply adds an "Access-control" header specifying the domains permitted access.

Normally of course, an XHR can only make requests of the domain it came from. So if the page you are reading came from "", if I include a a script with an XHR, it can only make requests of that domain. Seems a pain at first, since it might be nice to grab info from an external rss feed or some such thing. But that would also mean that any scripts on the page that originate somewhere else - like an adsense script or a hit counter - could make requests of "", which presents problems. A malicious script could wreak havoc on my web server by making thousands of requests, (DoS attack), or could start throwing various common method names at it like deleteAccount(1) or deleteUser(1). If I am not really diligent about handling authentication on the server-side, things could go really badly. So only scripts that originate on the domain "" can access the other resources on that domain because one would assume that I would not write a script to mess up my own web server.

But the new cross-site XHR that will be available with Firefox 3 is a little different because I can now specify an "Access-control" header in a resource, the XHR can get at things it was previously denied by design. So if i publish an RSS feed of this blog, and put the following php code in the page that serves it up...

<? header('Access-Control: allow <*>'); ?>
<? //serve up some rss data here ?>

...anyone can create a script that updates from my RSS feed without any page reloads. Pretty cool eh?

Still wary about giving other people access to my server under any circumstances, but then again, a DoS attack can come from a bot just as easily as a script in a web page, so I will have to look into this some more.

No comments: