RE: XMLHttpRequest - Do you trust me?

Scott's "SiteExperts" Place has a pretty good conversation about cross domain security when it comes to XMLHttpRequest.

Many web applications that "mash-up" or integrate data from around the web hit the following issue: How do you request data from third party sites in a scalable and cost-effective way? Today, due to the cross-domain restrictions of xmlhttprequest, you must proxy all requests through a server in your domain. 


This problem arises because the xmlhttprequest object can only communicate back to the originating domain.  This restriction greatly limits the potential for building "mash-up" or rich aggregated experiences. While I understand the wisdom behind this restriction, I have begun questioning its value and am sharing some of my thoughts on this. 


Much of the cross-domain concern is around phishing attacks - xmlhttp can be used to request any file from another domain (e.g., html interface), While client access to this data can increase the attack vector, I do not believe the risk of this scenario outweighs the benefits.  I do not believe Phishing sites will benefit more from cross-domain access - they have been capable enough at stealing passwords by merely just copying the UI.  


Other's claim that cross-domain xmlhttp requests can give the client access to private data. If the cross-domain requests are restricted to the same visibility as the host page (e.g., internet sites cannot access the intranet), then the information being requested is already public.  The only potential issue is with a rogue intranet site (requesting authenticated intranet data from another intranet site), but I believe that can be handled via greater controls. Prohibiting client-side cross-domain requests does not entirely protect the user. The moment a server is involved (which means any web-site), any such client internet request can be proxied by the server.  Furthermore, there is no way to indicate to the user when the server does the proxying.


Also, I just want to be clear before anyone gets overly excited (especially those that may disagree with me), there are no plans that I know of to change browser security models around xmlhttprequest. These are merely my obversations.

My general opinon to this was the same as most of the comments on SiteExperts' journal. What is the problem with Cross Domain data fetching? I have been thinking about security concerns here and am not going to talk about them. My belif is that Cross Domain data fetching is more of a theft than anything else. I am using the clients bandwidth in combination with external data providers bandwidth to mitigate the costs of proxying all the request through my own servers. To be brutally honest, that is what I wanted to use third party direct connections from the client for!

What would be nice is a server security model that could be configured to say third party request can be resolved by client A and not client B etc. That is the clients software [Web Browser] doesn't say that it allows cross domain data fetching, but rather the third part says that they will allow it.

I lead the Chrome Developer Relations team at Google.

We want people to have the best experience possible on the web without having to install a native app or produce content in a walled garden.

Our team tries to make it easier for developers to build on the web by supporting every Chrome release, creating great content to support developers on, contributing to MDN, helping to improve browser compatibility, and some of the best developer tools like Lighthouse, Workbox, Squoosh to name just a few.

I love to learn about what you are building, and how I can help with Chrome or Web development in general, so if you want to chat with me directly, please feel free to book a consultation.

I'm trialing a newsletter, you can subscribe below (thank you!)