Closed Bug 915581 Opened 12 years ago Closed 12 years ago

XMLHttpRequest does not correctly implement same origin policy

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
23 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: konstantinos.agouros, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.8 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.8 Steps to reproduce: I use a little XMLHttpRequest in a little Script to open an arbitrary URL which differs from the URL where the script was downloaded from. You can test at http://krupps.agouros.de/xmlrpc/gn2.html Actual results: Verifying the web servers log file I found that while I can not access the answer the request to the server is actually executed. This would allow an attacker to use complex requests to blind shoot at vulnerable web servers this is a risk. Expected results: Error Message in Java Script console and request _not_ executed.
Cross-origin XMLHttpRequest is a standardized behavior that most modern browsers follow. You can see it described at https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS Simple requests are always sent, but only returned to the other origin if the server includes the Access-Control-Allow-Origin header. These are the same requests that you could trigger anyway by including a cross-origin <script> or <style>, so there is no additional risk. Other requests such as POST or requests with custom headers are first checked with the server using an HTTP OPTIONS check before the actual request is sent.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
I can not confirm Your last sentence. The script I provided does a post request, but I do _not_ see an options before.
You need to log in before you can comment on or make changes to this bug.