Tuesday, 15 January 2013

ajax - Given that you could make cURL requests, what does the same-origin policy actually protect against? -


I think I understand what this is. It says that scripts and AJAX requests should come from the same root, which means they should have the same protocol, host, domain and port.

What I do not understand really protects against it. For example, say we have two sites: attacker.com and bank.com. I think the attacker.com can not have a script or the AJAX requests are used by the bank.

  • You can use

    These things Looking at, how does the same basic policy actually protect?

    • There is no security issue when you send your own request to the bank, then curl Or use your browser. There is no attacker in these scenarios, just you and the bank.

    When we go to the attacker and it is unaware of you, then it requests the bank Your browser, which logs at bank.com These may be.

    The same-basic policy prevents the owner of the attacker.com from requesting the bank using your browser


    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)