Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: (CORS) Cross-Origin Resource Sharing requests

  1. #11
    Sencha Premium Member
    Join Date
    Jan 2011
    Location
    Dundas, Ontario, Canada
    Posts
    84

    Default

    Quote Originally Posted by btek View Post
    We had these changes made to the server and finally it worked!

    # add these lines after the htdocs directory section
    <Directory "/usr/local/apache2/htdocs/ws">
    Header set Access-Control-Allow-Origin "*"
    Header set Access-Control-Allow-Methods "GET,POST"
    Header set Access-Control-Allow-Headers "x-prototype-version,x-requested-with"
    </Directory>

    I would be careful with using a wildcard (*) with CORS, this makes you vulnerable to XSS attacks. You should specify a site there, or if you need to have multiple sites, use HTTP_ORIGIN (webkit only) and compare it with a list of approved sites then insert that site into the Allow-Origin header.

  2. #12
    Sencha Premium Member
    Join Date
    Apr 2012
    Location
    Germany
    Posts
    124

    Default

    But what if you have to allow access from mobile devices? They do not have a fixed IP address.

  3. #13
    Sencha Premium Member
    Join Date
    Jan 2011
    Location
    Dundas, Ontario, Canada
    Posts
    84

    Default

    Hi Cliff,

    CORS actually doesn't have anything to do with the IP of the end-user. It's used to allow (non-JSONP) ajax requests between two different web domains.

    Normally an ajax request is between your site's javascript and your server on the same domain. But if, for some reason, you need ajax to between a site on a different domain (say, my-sencha-touch-app.com) and your site (say, my-website.com) you need to use CORS to give your app domain permission to make AJAX requests to your website domain. Otherwise errors come up in your Javascript console about XSS.

    In this example, if my-website.com was using PHP, you'd want something like:

    PHP Code:
    header("Access-Control-Allow-Origin: http://my-sencha-touch-app.com");
            
    header("Access-Control-Allow-Credentials:     true"); // if you're using a cookie from this website
    header("Access-Control-Allow-Headers:         x-requested-with");
    header("Access-Control-Request-Method:         GET,POST"); 
    If you have multiple apps or have multiple domain names for your app, there isn't yet a way to specify multiple domains, though what you can do is use some PHP to check where the HTTP_ORIGIN of the request is and compare it to an approved list.

    The vulnerability in specifying a wildcard is most pronounced when login is being done via CORS. Any third-party website could then act on behalf of the logged in user, for examples, see here - https://www.owasp.org/index.php/Cros...Forgery_(CSRF)

  4. #14
    Sencha Premium Member
    Join Date
    Apr 2012
    Location
    Germany
    Posts
    124

    Default

    Hi rgporter,

    thanks a lot for your post. I got confused with the IP-address and the domain name.
    Now just to get it right. If I have a ST2 app with the domain com.test.myapp and pack it with PhoneGap for example. Then on the server side, I would only need to allow that domain to perform CORS request, right?

    Once again thanks a lot. You really helped me understanding the principles.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •