For instance, and are different origins, but they're the same site. Some web features don't deal with origins, they deal with 'sites'. This included new ActiveXObject('Microsoft.XMLHTTP') which first appeared in IE5 in 1999, and later became the web standard XMLHttpRequest. That wasn't completely true, since a lot of sites divided content by URLs such as, but the line had to be drawn somewhere.įrom that point, features that granted deep visibility into a resource were limited to same-origin. The idea was that sites on the same origin are more likely to have the same owner. Netscape realised that this presented a security issue you don't want an evil page to be able to read the DOM of your banking page, so they decided that cross-frame scripting would only be allowed if both pages had the same origin. Frames let you embed one page in another, and LiveScript could interact with both pages. Firefox and Safari go a step further, and try to fully isolate sites, although how this works is currently pretty different between the two.īack in 1995, Netscape 2 landed with two amazing new features: LiveScript (you probably know this better as 'JavaScript'), and HTML frames.Without cookies, the site generally returns the 'logged-out' view, without private data. More recently, we don't send cookies along with the request from site-A to site-B, unless site-B has opted-in using the SameSite cookie attribute.Later, the nosniff rules were expanded to prevent particular no-CORS response types from another origin, such as HTML, JSON, and XML (except SVG).The X-Content-Type-Options: nosniff header lets the server say "hey, don't allow this to be parsed as CSS or JS unless I've sent the right Content-Type".Unfortunately we can't enforce the same thing for scripts and images, or CSS on quirks mode pages, without breaking significant portions of the web. CSS from another origin (I'll get to a definition of 'origin' shortly) now needs to be sent with a CSS Content-Type.Meanwhile, we've spent the last few decades patching things up as best we can: It's become pretty clear that the above was a mistake in the design of the web, so we no longer create APIs that can process these kinds of requests. From browser bugs to CPU exploits, these leaky resources have given us decades of problems. Oh no.Īnd that's just the tip of the shitberg. …which is loaded using 's cookies, the CSS parses, and sends private information to. And over the years that's created a colossal sackload of security issues. When you request other-site content using one of the methods above, it sends along the credentials for the other-site. It's how Twitter shows you your feed, it's how your bank shows you your accounts. HTTP cookies became part of a set of things we call credentials, which also includes TLS client certificates (not to be confused with server certificates), and the state that automatically goes in the Authorization request header when using HTTP authentication (if you've never heard of this, don't worry, it's shite).Ĭredentials allow the server to maintain state about a particular user across multiple requests. This started getting complicated in 1994 with the advent of HTTP cookies. And it didn't stop with images:ĪPIs like these let you make a request to another website and process the response in a particular way, without the other site's consent. ![]() ![]() You don't need the other site's permission to do this, you can just do it. Required argument is SRC="url".– Marc Andreessen in 1993īrowsers have been able to include images from other sites for almost 30 years. I'd like to propose a new, optional HTML tag: IMG. ![]() Wish me luck… Cross-origin access without CORS Before I get to any of the 'how', I'm going to try to explain why CORS is the way it is, by looking at how it came into existence, and how it fits into other kinds of fetches. You can dive right into the playground now if you want, but I'll link to it throughout the article to demonstrate particular examples.Īnyway, I'm getting ahead of myself. Since then, it's been a constant source of development adding features, improving defaults, and papering over past mistakes without breaking too much of the web.Īnyway, I figured I'd write down pretty much everything I know about CORS, and to make things interactive, I built an exciting new app: The CORS playground It's hard because it's part of how browsers fetch stuff, and that's a set of behaviours that started with the very first web browser over thirty years ago. CORS (Cross-Origin Resource Sharing) is hard.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |