Extend XMLHttpRequest API to turn off HTML5 Cross Origin Request by default

[GoogleCodeExporter]

The XHR API is capable of making Cross domain calls now thanks to HTML5. There 
are applications that include user controlled data as the request URL in 
XHR.open().

This was assumed to be safe because this value could only be set to file hosted 
on the same domain. But with HTML5 this value can be set to file on an attacker 
controlled domain.
Real life example on touch.facebook.com: http://m-austin.com/blog/?p=19

Server-side ESAPI provides secure equivalent of the request and response 
object. Similarly ESAPI4JS can provide a secure equivalent of XMLHttpRequest 
object by turning off support of COR by default(a little similar to this - 
http://myappsecurity.blogspot.com/2007/01/ajax-sniffer-prrof-of-concept.html).

A new property can be added to the extended XHR API called 'cor'. Only if this 
flag is set would Cross Domain Requests be allowed. As explained towards the 
end of this post - 
http://blog.andlabs.org/2010/08/xssing-client-side-dynamic-html.html

Ideally this change must be made to the underlying API itself but until then 
ESAPI4JS can fill the gap I guess.

Original issue reported on code.google.com by [email protected] on 24 Aug 2010 at 7:10

[GoogleCodeExporter]

Definately a good call - I will slot this for the next release

Original comment by chrisisbeef on 24 Aug 2010 at 7:40

• Changed state: Accepted
• Added labels: Priority-High, Type-Enhancement
• Removed labels: Priority-Medium, Type-Defect