Palisade Magazine

 
July 2008

Proposal to amend Same Origin Policy

Quiz Graphic

Same origin policy of browser prevents scripts loaded in one domain to access resource from another domain. However, this policy imposes several limitations to Web 2.0 apps and restricts interactivity between sites. A new proposal has been formed by W3C, to incorporate Web 2.0 developer’s demands, by allowing cross site requests. Which among the following is the said proposal?

  1. Configuring Domain Authorization Rules on the application server side
  2. Access Control for Cross-site Requests
  3. Configuring Application level ACL

Click to view the answer →

Answer is b.Access Control for Cross-site Requests

The proposal stats that applications should contain an extra header in their response viz. Content-Access-Control.

In cross-site GET requests, the response will be checked for access-control headers, which determine what requesting domains are allowed to make cross-site requests. If the requesting domain is allowed, the response is made available to the script; otherwise, it fails.

Consider a resource e.asmx on A.com. A page on B.com can make a valid XML HTTP request to e.asmx on A.com, if e.asmx has has the following header set: <?access-control allow=”B.com”?>

Options a and c are proposals put forward by Justin Schuh for enhancing same origin policy, by increasing trust relationship between various apps. This proposal seeks to support the differing communication and security needs of modern web applications.

In a typical browsing session, there might be multiple tabs open in a user’s browser accessing multiple sites simultaneously. In this situation the browser effectively becomes a gateway between multiple sites. In this scenario, it makes sense that a site should be able to dictate the policy for how it handles communications initiated by other sites. That’s what Domain Authorization Rule and application level ACL’s are about. Adopting such a posture, a site would reject any POST request originating from any other site other than the origin site, thereby thwarting any CSRF attack.

Let’s take example of a site hosted on domain example.com. Domain Authorization Rules for example.com may look like:

#

Access

Direction

Requesting Domain

Port

Protocol

Method

Initiator

Destination

1

allow

all

*.example.com

80|443

*

*

*

*

2

deny

inbound

*

80|443

*

*

*

/includes/*

3

Allow

outbound

*.images.com

80

HTTP

GET|HEAD

image

*

Rule 1 would allow all requests to and from subdomains of example.com

Rule 2 would deny all inbound requests for www.example.com/includes

Rule 3 allows all outbound requests for images to site images.com

Rule 2 would mitigate CSRF attacks for all forms subsequent to example.com/includes. Reflected XSS are also mitigated by restricting non-user-initiated outbound requests to a set of known servers.

References: