This works because the browser will run any third-party script, but it won't expose the raw string constituting the script.
So a malicious website can't steal that content by putting the URL in a script. It will never get to see what's in the script and only a same-domain script could parse the whole contents, by making a XHR call, and strip out the "while 1;" part. In contrast, a regular JSONP string is specifically designed for the third party to read it (by including code to call a callback function).
A lot of people still don't realise you shouldn't be serving private data as JSONP. Thankfully, CORS lets modern browsers go cross-browser safely, even with private data if things are configured right.
Actually as yoghur points out, CORS doesn't protect against CSRF. A token must be passed for any privileged calls.
That said, a benefit of CORS is the ability to do non-GET methods. So it's safer in the sense of HTTP idempotence, ie you can change server state safely, using POSTs, DELETEs, and so on. You'd still need to pass a token, however.
(Of course I meant cross-domain, not cross-browser :).
Actually this prevents XSSI (cross-site script inclusion) not XSRF (cross-site request forgery).
XSRF vulnerabilities allow an attacker to issue web requests on a user's behalf; oftentimes though people only call it a vulnerability when you can issue a request that changes some state. And XSRF is usually prevented by including a hard to guess token with the request that is tied to the user and allows you to determine whether the request was generated by an authorized party. Please don't try to prevent XSRF by using while(1) :)
I'm a bit perplex why you've chosen to pedantize this particular word choice since "prepend" itself is a portmanteau derived by mashing "pre" and "append" together.
Perhaps the trio of "affix", "prefix" and "suffix" might be more useful, since there is no "postpend" or "suppend" to accompany "append" and "prepend".
If you look at the gmail ajax calls, you'll also see they sometimes put a number in front of their data. Example:
3
[1, 2, 3, 0]
If you execute that in your JS console, it'll return undefined, which threw me for a loop a couple days ago when I saw it. I ended up having it ask on StackOverflow too and it's because JavaScript will interpret it as a property look up on that number object (it will evaluate to 3[0], which evaluates to undefined).
This doesn't protect again using an <img> tag to accomplish the same thing correct? Assume a malicious user wanted to delete something and the URI was formatted like: http://mydomain.com/delete/some-id-here. Then assuming the user is logged in, a simple <img src="http://www.mydomain.com/delete/some-id-here /> on a third party site would execute the request successfully correct?
This is one of the reasons why you never perform any actions which change something over GET. The main reason is so your site doesn't get deleted when the Googlebot visits. (Or more generally, so that web crawlers and other robots don't accidentally mutate the site.)
Using POST is not sufficient; you also need to include an XSRF token that only the requesting page knows. It's very possible to send a POST to a third-party site with about one line of Javascript. (In the relatively early days of Reddit, I wrote a page that upvoted itself by having a JS handler in an invisible iframe resubmit the same link over again, using the visitor's login credentials. At the time, submitting the same link twice on Reddit counted as an upvote, and so merely visiting the page would upvote the link.)
Yes, that solves that. But you should use CSRF. Otherwise someone could have a <form method=POST action="http://mysite.example.com/delete>…</form>; on their site and a javascript that will submit the form upon page load.
If that works then the developer responsible for mydomain.com should be reprimanded for wilful incompetence. And that isn't even the problem the while(1); trick is meant to mitigate.
Really, the knee-jerk response to every single closed question on SO isn't terribly useful.
First off, you can still read the question and vote on answers. Since there are already several answers, adding another one would not be very useful anyhow.
Moreover, it's closed as a duplicate. There's an essentially identical question--with essentially the same answer--that's quite a bit older. It makes sense to point people to it so that there's one centralized resource on the topic.
As a duplicate of What??? That's always been my question. I've found it beyond dumb that they don't put the thing they want you to go to at that message. And, they should make it look like a link. Just my $0.02.
The thing that says, "Possible duplicate?" Once they confirm it they should change the wording to say "Duplicate" if that's the one they mean. It just looks like it's unfinished this way.
Wikipedia has shown us what ridiculous bureaucracy does to a community; it's sad that Stackoverflow has been turned into a utterly useless site despite the lessons that could have been learned from Wikipedia.
Stackoverflow has been turned into a utterly useless site
It has? It's news to me; I'm constantly finding relevant, useful information whenever I search for almost anything in the area of software development.
Every organization becomes controlled by those who serve the organization itself, as opposed to those who perform the actual goal or service of the organization. Schools are controlled by administrators, not the teachers. Wikipedia and other community-sourced internet sites are run by those who desired to acquire power over Wikipedia, not by those who desire to contribute content.
No. Unblow your mind. Any service which returns sensitive data in JSON via an HTTP get based on the user's cookie is vulnerable. At worst, an attacker would just be able collect the response of a GET on behalf of a visitor to the attacker's site if the user is on a really old browser.
This method only works for HTTP GETs, and can't get around requirements to present CSRF tokens with the request. This is one of several possible strategies for guarding against CSRF.
Wouldn't also using a custom HTTP header instead of cookies for passing a session identifier prevent this attack? A script tag can not set headers, right?
Correct me if I'm wrong, but does this not merely allow an attacker to cause the browser to make requests with custom headers? That is, it does not allow the attacker to gain the CSRF token, and if the CSRF token is not known to the attacker, he would still not be able to make API requests.
This can really be broken because you can redefine the numeric constructor of 1 to return false and thus get around the while(1). However, if for(;;) was used, then you cannot get around it. ;)
If I remember correctly, it was first discovered pretty soon after a version of Gecko was introduced with support for setters/getters, and Gecko had minority market share at that time.
That such hacks are used as security measures makes me think that we've heard far from the last JavaScript exploit.
Now I find that workaround sweet: but it's still a total kludge and that such kludges are used just shows how poorly security has been conceived from the ground up in browsers / JavaScript.
I agree... I mean look at JSONP, that's basically the inverse hack. After all: what's the point of enforcing same-origin-policy in AJAX but ignoring it for <script>?
The actual reason for this is web advertising took off like wildfire, using 3rd party scripts. It was too late to reverse by the time people got concerned about the security model.
Content Security Policy makes all this much more robust in modern browsers.
JSONP lets the server turn off the same-origin policy. If XRFing your data is dangerous, don't use JSONP. But often we don't care about XRF, and the person writing the server is well-placed to know.
So a malicious website can't steal that content by putting the URL in a script. It will never get to see what's in the script and only a same-domain script could parse the whole contents, by making a XHR call, and strip out the "while 1;" part. In contrast, a regular JSONP string is specifically designed for the third party to read it (by including code to call a callback function).
A lot of people still don't realise you shouldn't be serving private data as JSONP. Thankfully, CORS lets modern browsers go cross-browser safely, even with private data if things are configured right.