Same origin policy
must make Ajax requests only to server it came from.
More on my example:
I allow users upload JS.
You run pages with other users' JS in it.
How do I stop that JS making server calls to Edit/Delete your files on server?
Answer: Two servers. Logged in pages run on 1st server ancientbrain.com.
User-submitted pages run on 2nd server run.ancientbrain.com and cannot make Ajax calls to 1st server.
Workaround to same-origin policy:
- Workaround to same-origin policy using JSON.
Bit of a hack.
Server must co-operate.
JSON format only.
More suitable for distributing feeds of content
than for making logged in read/write calls.
The server has PHP files to handle the various read-write Ajax JS requests that pages make.
The hacker cannot call these with Ajax JS in his own page, because of single-origin policy.
But the hacker can call them directly with HTTP. Send HTTP request to the PHP to Delete victim's files.
Won't work because hacker is not logged in as the victim.
CSRF attack: Hacker sets up a link (say in email) for victim to click.
When clicked by the victim
it sends HTTP request to PHP to Delete files.
Victim is logged in. Files are deleted.
In fact, on ancientbrain.com it is trivially easy to get user to click your links. This happens all the time.
It is how the site is designed - you interact with uploaded programs.
How to stop CSRF?
Delete request has to come from a Delete button on the ancientbrain.com page.
It cannot come independently.
How to do this?
Solution: CSRF tokens.
Logged in pages are sent secret tokens (e.g. long ID numbers) in the JS.
Token is unguessable - must be different for each user, and change regularly.
These tokens are returned when JS on page makes Ajax call.
The HTTP link the hacker sets up to click does not have the token and so does not work.
Sometimes I link to Wikipedia.
I have written something
In defence of Wikipedia.
It is often a useful starting point
but you cannot trust it.
Linking to it is like linking to a Google search.
A starting point, not a destination.
highlight in red all
links to Wikipedia and Google search
and other possibly-unreliable user-generated content.