explanation #47
Comments
|
Read this first https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Then small addition from me: We have [CLIENT] <---> [BROWSER] <---> [SERVER] Example: We want to request data from CLIENT (http://mysupersite.com) with AJAX on SERVER (http://thirdparty-api.com/hack-the-bank/) How it was and how it is now:
Browser and server perform checks if client can request data:
to make CORS request client actually do 2 requests:
NOTE: if Preflighted request respond with:
So I just intercept requests and response to modify them in extension. For example we want to get data from server http://server.com on client http://cheater.com, but server allow requests only from http://goodboy.com. When user will send ajax request from cheater.com browser will add automatically Origin: http://cheater.com In extension I intercept:
PS. server could have additional checks - in this case you will not get response from server something like this... if I remember it correctly :) |
|
Thanks
…________________________________
From: Vitaly P. <[email protected]>
Sent: Thursday, November 2, 2017 3:55:29 PM
To: vitvad/Access-Control-Allow-Origin
Cc: BHirsch; Author
Subject: Re: [vitvad/Access-Control-Allow-Origin] explanation (#47)
Read this first https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Then small addition from me:
We have [CLIENT] <---> [BROWSER] <---> [SERVER]
Example: We want to request data from CLIENT (http://mysupersite.com) with AJAX on SERVER (http://thirdparty-api.com/hack-the-bank/)
How it was and how it is now:
1. XMLHttpRequest v1 - we can't do this with ajax
2. XMLHttpRequest v2 - we can do this if server has header (Access-Control-Allow-Origin: http://mysupersite.com) and client will send header (Origin: http://mysupersite.com)
2.1) When user send ajax request browser always add automatically Origin: header with client url
all checks if I can send request performed in browser and on server
* server could check that request come with header Origin and if this header contain allowed site could respond with data
* browser check that server respond has header Access-Control-Allow-Origin: http://mysupersite.com
and allow client to send process request.
to make CORS request client actually do 2 requests:
1. Preflighted request https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests
which ask server if I can request data from it at all, and what METHOD server support.
see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#Preflighted_requests_in_CORS
NOTE: if Preflighted request respond with:
Access-Control-Allow-Origin: http://mysupersite.com
then browser allow to send real request from that address to get data from (SERVER)
1. real request will have header Origin:
So I just intercept requests and response to modify them.
For example we want to get data from server http://server.com on client http://cheater.com, but server allow requests only from http://goodboy.com. When user will send ajax request from cheater.com browser will add automatically Origin: http://cheater.com
In extension I intercept:
* preflight request and respond with Access-Control-Allow-Origin: http://cheater.com to fool browser
* real request and rewrite Origin: http://cheater.com to Origin: http://goodboy.com to fool server
PS. server could have additional checks - in this case you will not get response from server
something like this... if I remember it correctly :)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#47 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ARLap57s2s9kU6eu83PmX0Kp0qi_9OMwks5syh4wgaJpZM4QPLvh>.
|
|
thanks |
|
Could you please copy the answer to Readme.md ? |
If someone could explain me how this works I would appreciate it.
Thanks
The text was updated successfully, but these errors were encountered: