Is there any way to disable cross-domain ajax request?

Lets say there are two domains: mywebsite and hackerswebsite. On the mywebsite there is a website which contains javascript with AJAX function which sends data to hackerswebsite. All I want is to prevent this and allow only sending AJAX request to mywebsite domain.

I know there is something like "Same origin policy" but what I understand it works on the second domain and can prevent connections from other domains.

To be more precise, lets say that I have a website where users can run their own javascript. If they can write their own scripts they can get any data from DOM document and send it asynchronously to their own server which will accept data from my domain. For example login name. Am i right?

Please correct me if I'm wrong. I'm just trying to understand this security policy thing.

Is there any way to disable cross-domain ajax request?

Lets say there are two domains: mywebsite. and hackerswebsite.. On the mywebsite. there is a website which contains javascript with AJAX function which sends data to hackerswebsite.. All I want is to prevent this and allow only sending AJAX request to mywebsite. domain.

I know there is something like "Same origin policy" but what I understand it works on the second domain and can prevent connections from other domains.

To be more precise, lets say that I have a website where users can run their own javascript. If they can write their own scripts they can get any data from DOM document and send it asynchronously to their own server which will accept data from my domain. For example login name. Am i right?

Please correct me if I'm wrong. I'm just trying to understand this security policy thing.

• javascript
• ajax
• security
• cross-domain
• cors

Share Improve this question Follow asked Nov 18, 2013 at 16:35 mkatanskimkatanski 50866 silver badges1919 bronze badges 4

• 1 So they can make a GET request and send the same information! img.src="asdf.php?myInfo=goesHere"; – epascarello Commented Nov 18, 2013 at 16:38
• You don't need users to be able to run their script on your page in order to acquire any data visible in your DOM/BOM. They can just see that data anyway, and transfer it anywhere they want. – marekful Commented Nov 18, 2013 at 16:39
• I want to give them possibility to run their own scipts. Not to see data of the page, just to run their own stuff. – mkatanski Commented Nov 18, 2013 at 16:40
• ANY method of accessing exposed data can be used by the client in any way they wish. Once it's out the door, you no longer control it. If you want to protect something, put it behind a login. – Diodeus - James MacFarlane Commented Nov 18, 2013 at 16:46

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 6

Sounds like you want a content security policy (CSP) to restrict what resources and Ajax destinations the page can and can't use.

The same-origin policy is designed to prevent websites from reading credentialed responses from a third party (e.g., I load evil., and that site instructs my browser to fetch my online bank statements, using my bank. cookies). The SOP is not intended to prevent users or sites from sending data wherever they like.

The site's CSP is intended to whitelist access to resources, in the event that either:

1. the site is promised by an XSS attack and suddenly behaves in ways you didn't anticipate, or
2. the site runs content supplied by user A on a browser owned by user B, and that content needs to be sandboxed.

To be clear, the danger in case #2 is not that a user can run his own JavaScript, but that a user might run some other user's script.

An example CSP might be:

Content-Security-Policy: default-src 'self'; frame-src 'none'; object-src 'none';

This will block any attempt to load iframes or plugins, and it restricts all other resource loads (including images, scripts, stylesheets, and Ajax requests) to the current origin. If you want to allow plugins or iframes, you can remove either or those directives and they will fall back to the default-src directive. You can use the connect-src directive to limit Ajax specifically.

Note also that if you lets users run arbitrary scripts, you will likely still have serious problems (e.g., rewriting the page with misleading content), even with a very restrictive CSP taking care of cross-origin network requests.