Confused about the same origin policy

  • (2 Pages)
  • +
  • 1
  • 2

15 Replies - 904 Views - Last Post: 09 September 2016 - 10:30 AM

#1 harro.rm   User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 63
  • Joined: 18-June 16

Confused about the same origin policy

Posted 05 September 2016 - 06:21 PM

I'm a bit confused about the same origin and the cross origin.

From my readings, it seems I have to make http request calls on the backend (if made to another api end point). But why is it that sometimes I get cross origin errors if I make the calls in the backend, but okay if I make them in the frontend?

Can someone give an example for each (same origin and cross origin), and when it fails/works from the frontend and backend?

Thanks!

Is This A Good Question/Topic? 0
  • +

Replies To: Confused about the same origin policy

#2 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4202
  • View blog
  • Posts: 13,275
  • Joined: 08-June 10

Re: Confused about the same origin policy

Posted 06 September 2016 - 12:22 AM

SOP examples CORS example
Was This Post Helpful? 0
  • +
  • -

#3 harro.rm   User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 63
  • Joined: 18-June 16

Re: Confused about the same origin policy

Posted 06 September 2016 - 09:28 AM

So the reason why sometimes I can make request on the frontend is if the other server allows it? How do you set this configuration or allowing and not allowing?
Is this also the same reason why sometimes I can only make requests on the frontend and not backend? Since according to my understanding, making requests from backend is the preferred way.
Also why is it that sometimes I can make requests from both - in this case, which is preferred? I noticed that making requests from the backend is much slower than frontend (when both are allowed).
Was This Post Helpful? 0
  • +
  • -

#4 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4202
  • View blog
  • Posts: 13,275
  • Joined: 08-June 10

Re: Confused about the same origin policy

Posted 06 September 2016 - 09:34 AM

Quote

So the reason why sometimes I can make request on the frontend is if the other server allows it?

correct

Quote

How do you set this configuration or allowing and not allowing?

through the Access-Control-Allow-Origin header.

Quote

Is this also the same reason why sometimes I can only make requests on the frontend and not backend?

no. SOP only applies to browsers.

but that doesn't mean that a remote server couldn't reject a request (for whatever reason) made from the backend.

Quote

Also why is it that sometimes I can make requests from both - in this case, which is preferred?

that depends ...
Was This Post Helpful? 0
  • +
  • -

#5 harro.rm   User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 63
  • Joined: 18-June 16

Re: Confused about the same origin policy

Posted 06 September 2016 - 10:28 AM

I'm still a bit confused...

So SOP means I cannot execute siteA.com/script1 on my siteB.com if I include it inside a script tag on my html file?

While CORS relate to getting resources via http requests? How does the other server set the Access-Control-Allow-Origin? In the case of not being able to make requests on the backend, my most recent experience was generating oauth tokens and getting user permission. I think this sort of makes sense now that I think about it, since the user has to be redirected to a site (e.g facebook) and give the permission.

In regards to being able to make requests on both frontend and backend, what is the depends on part? Let's say I want to get some json data back and do something with it, then doing it in the backend is preferred right? But I noticed that it takes extremely long if the json data is big (but it's much faster on the frontend). So in this situation, would it be better to do it in the frontend and send the data to the backend later?
Was This Post Helpful? 0
  • +
  • -

#6 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4202
  • View blog
  • Posts: 13,275
  • Joined: 08-June 10

Re: Confused about the same origin policy

Posted 06 September 2016 - 10:38 AM

Quote

So SOP means I cannot execute siteA.com/script1 on my siteB.com if I include it inside a script tag on my html file?

almost. you cannot access a resource from example.com if your page is not from example.com as well.

Quote

How does the other server set the Access-Control-Allow-Origin?

this is totally up to the server. how the response header is generated is irrelevant to the requestor.

Quote

In the case of not being able to make requests on the backend, my most recent experience was generating oauth tokens and getting user permission.

... which has nothing to do with SOP or CORS.
Was This Post Helpful? 0
  • +
  • -

#7 harro.rm   User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 63
  • Joined: 18-June 16

Re: Confused about the same origin policy

Posted 06 September 2016 - 09:38 PM

View PostDormilich, on 06 September 2016 - 10:38 AM, said:

almost. you cannot access a resource from example.com if your page is not from example.com as well.

This is probably the part that I'm most confused. Why is it then that I am able to use XMLHttpRequest to retrieve a json from siteA.com/data.json from my site (siteB)?

Quote

... which has nothing to do with SOP or CORS.

I think I was also trying to redirect as well. So I had to construct a url to redirect the user to the permission page, and I was redirecting from the backend. Is that why?
Was This Post Helpful? 0
  • +
  • -

#8 ge∅   User is offline

  • D.I.C Lover

Reputation: 192
  • View blog
  • Posts: 1,184
  • Joined: 21-November 13

Re: Confused about the same origin policy

Posted 07 September 2016 - 12:00 AM

SiteA must have allowed access to the JSON file only, which makes sense if it is accessible from an API.
You need to learn more about headers. You can set them however you like, it's not even a per-URL basis : you can decide to add a particular header to a server response every Wednesday for example.
Was This Post Helpful? 0
  • +
  • -

#9 felgall   User is offline

  • D.I.C Regular

Reputation: 68
  • View blog
  • Posts: 365
  • Joined: 22-February 14

Re: Confused about the same origin policy

Posted 07 September 2016 - 02:35 PM

View PostDormilich, on 07 September 2016 - 03:38 AM, said:

you cannot access a resource from example.com if your page is not from example.com as well.


Not quite true. You can access resources from example.com if example.com makes those resources available to be shared.

The following scrupt can read any JSONP resource from any web site without needing to check on thesame origin policy:

jsonpRequest = function(url, callback) {
  var jnum, jname, scr;
  if (!jsonRequest.cnt) jsonRequest.cnt = 0;
  jnum = 'j'+ jsonRequest.cnt++;
  jname = 'jsonRequest.'+jnum;
  if (-1 === url.indexOf('?')) url += '?jsonp='+jname;
  else url = '&jsonp='+jname;
  scr = document.createElement('script');
  jsonRequest[jnum] = function(resp) {
     try{
        callback(resp);
        }
     finally{
        delete jsonRequest[jnum];
        scr.parentNode.removeChild(scr);
        }
  };
  scr.src = url;
  document.getElementsByTagName('body')[0].appendChild(scr);
}; 


Of course the JSONP must exist on the other web site in order for the script to be able to read it.
Was This Post Helpful? 0
  • +
  • -

#10 ge∅   User is offline

  • D.I.C Lover

Reputation: 192
  • View blog
  • Posts: 1,184
  • Joined: 21-November 13

Re: Confused about the same origin policy

Posted 07 September 2016 - 11:29 PM

Great answer but one should consider the risk of executing a script provided by another server. Unlike JSON objects retrieved via AJAX, JSONP is a script that just happens ton contain data in it, it can contain something else such as malicious code.
Was This Post Helpful? 0
  • +
  • -

#11 felgall   User is offline

  • D.I.C Regular

Reputation: 68
  • View blog
  • Posts: 365
  • Joined: 22-February 14

Re: Confused about the same origin policy

Posted 08 September 2016 - 12:57 AM

View Postge∅, on 08 September 2016 - 04:29 PM, said:

Great answer but one should consider the risk of executing a script provided by another server. Unlike JSON objects retrieved via AJAX, JSONP is a script that just happens ton contain data in it, it can contain something else such as malicious code.


Well it is something you'd generally only use when you either own the sites on both servers yourself so as to set up both sides of the code or where you know the person at the other site well enough to trust them to have the script at their end generate proper JSONP.

It isn't a solution to everything but there are some limited circumstances where it provides a way to bypass same origin without using CORS.
Was This Post Helpful? 0
  • +
  • -

#12 ge∅   User is offline

  • D.I.C Lover

Reputation: 192
  • View blog
  • Posts: 1,184
  • Joined: 21-November 13

Re: Confused about the same origin policy

Posted 08 September 2016 - 05:22 AM

Why would you not want to use CORS?

I wonder if there is a situation (other than compatibility with IE7 or something) where you would not be able to use CORS but would be able to use JSONP. I'm not even sure I would use it in such case (using my server as a proxy offers the same functionality without the risks and, if you use Node.js streams, there is practically no overhead, even on large files).

Another issue related to security is that JSONP only allows GET requests, which will expose sensitive data sent as parameters, even via https.

Security aside, AJAX seems to be a lot more convenient for handling errors (you have a readystatechange event as well as readyState and status properties). Script tags seem to support the error event, but you can't make the difference between a bad URL, a bad request, a request timeout, or else.
Was This Post Helpful? 0
  • +
  • -

#13 felgall   User is offline

  • D.I.C Regular

Reputation: 68
  • View blog
  • Posts: 365
  • Joined: 22-February 14

Re: Confused about the same origin policy

Posted 08 September 2016 - 12:42 PM

View Postge∅, on 08 September 2016 - 10:22 PM, said:

Why would you not want to use CORS?

I wonder if there is a situation (other than compatibility with IE7 or something) where you would not be able to use CORS but would be able to use JSONP.


The JSONP way was around for many years before CORS existed. If the site you are connecting to has had the interface avaailable for a long time then it may provide JSONP but not CORS.

View Postge∅, on 08 September 2016 - 10:22 PM, said:

Another issue related to security is that JSONP only allows GET requests, which will expose sensitive data sent as parameters, even via https.


All request types expose data equally and GET is correct for any request for when you are not changing anything on the other end. POST implies you are updating something (and exposes the data just as much as GET does - there is no security difference as that would make no sense as they are for different purposes).
Was This Post Helpful? 0
  • +
  • -

#14 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2031
  • View blog
  • Posts: 6,202
  • Joined: 15-January 14

Re: Confused about the same origin policy

Posted 08 September 2016 - 04:18 PM

If the connection is over HTTPS, then the request headers and body (including post data, and including the URL which is part of the headers) will be encrypted. The only difference is that if you are sending variables in the querystring (regardless of the request method), then the URL and variables may be saved in server logs on the destination server. It will not get saved in logs or whatever else in any place between the browser and the server, but it may get saved on the destination server if it is logging request URLs. The post data in the request body won't get logged. But if you're using HTTPS then the URL is part of the encrypted information. The only thing that isn't encrypted is the IP address of the destination server, but that information isn't even part of the HTTP request (the IP address is higher up in the TCP/IP stack, not part of the HTTP payload).
Was This Post Helpful? 2
  • +
  • -

#15 ge∅   User is offline

  • D.I.C Lover

Reputation: 192
  • View blog
  • Posts: 1,184
  • Joined: 21-November 13

Re: Confused about the same origin policy

Posted 08 September 2016 - 11:35 PM

Quote

It will not get saved in logs or whatever else in any place between the browser and the server


I didn't know that. What does your ISP see it its logs is such case ?
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2