What is the reason behind the blocking of Ajax GET requests without CORS, while JSONP requests are permitted?

Accessing any page on the web through a GET request using HTML tags from a different origin is possible:

<script src="http://example.com/user/post?txt=sample"></script>

XHR requests to other origins are blocked for security reasons. For example, an attacker could impersonate a user by making a POST request on their behalf (although this isn't actually possible due to lack of cookies). However, using the above script tag achieves the same effect (also without access to cookies). So why are XHR GET requests not permitted?

javascriptajaxsecuritycors

Answer №1

According to RFC 2616 section 9.1.1, GET requests are intended for retrieving information from the server and should not cause any changes to occur:

"In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered 'safe'."

If a site allows posting through a GET request, it goes against this convention and exposes potential security risks. The same-origin policy is not enough to prevent unauthorized actions.

The reason XMLHttpRequest (XHR) is treated differently is due to its ability to return HTTP responses directly to JavaScript code, which can lead to information leakage. For instance, allowing cross-domain XHR GET requests could enable malicious scripts to access sensitive data, such as bank account balances.

Other methods of executing GET requests, like using <script> or <img> tags, do not pose the same risk of information disclosure. Scripts included in the response must adhere to specific conventions, while images loaded from external sources cannot be accessed programmatically.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Optimizing the Placement of Dynamic Google Maps

After setting up a responsive Google map using this jsFiddle and guidance from this stack overflow post, I encountered an issue. How can I keep the map centered on the marker across various viewports and browser sizes? I came across a solution in this res ...

javascriptjquerygoogle-maps

JQuery's .ajax function often triggers the success callback before the page it is calling

Below is the code I am currently working with: <script type="text/javascript"> $(function(){ $("#AddMaps").submit(function(){ var $form = $('#AddMaps'); $.ajax({ type: 'POST&a ...

phpajaxjquery

The empty string is not getting recognized as part of an array

Currently, I have a textarea field where pressing enter submits and creates a new item in the array. Pressing shift + enter creates a new line in the textarea input field. But when trying to submit by pressing shift and enter after creating a new line, it ...

javascripthtmlcssreactjs

The issue at hand is that one of the JavaScript buttons is functioning properly, while the other is not playing the video as intended. What steps can

I've been working on a script for my school project website that should make buttons play videos, but I'm running into an issue where it only works for the first button (btn). Programming isn't my strong suit, and I put this together based o ...

javascripthtmlcssvideo

Transmitting Filter Choices as an Object for Retrieving Multiple Values within an Angular Application

In my Angular application, I have a function that takes user selections for various filter types and sends a request to the API to retrieve filtered data based on those selections. Each filter type returns values in an array format, allowing users to selec ...

javascriptangulartypescriptjavascript-objects

Reduce the number of redundant fields in MongoDB collections

I'm facing an issue with my model structure. Here is the schema: var accountSchema = new mongoose.Schema({ 'seeker': { 'fullName': String, 'ageGroup': String, 'education': String, ...

javascriptnode.jsmongodbmongoose

The robots.txt file in Nuxt.js allows for multiple disallow directives for each user agent

With the Nuxt module called nuxt-robots, how can I set up multiple disallow rules per user agent? Currently, my configuration looks like this: robots: () => { return { UserAgent: '*', Disallow: '/search/', Si ...

javascriptvue.jsnuxt.jsrobots.txt

Having trouble with PHP's json_decode function with GET variables in an object?

I am currently working with an angular code that utilizes jsonp. One issue I am encountering is related to the object variable 'o_params' in my params. Here is the javascript code snippet: $http({ method: 'JSONP', ...

javascriptphpangularjsjsonjsonp

Maximizing for-loop efficiency: the advantage of caching array length

Let's compare two variations of a loop iteration: for (var i = 0; i < nodes.length; i++) { ... } and var len = nodes.length; for (var i = 0; i < len; i++) { ... } Would the second version be faster than the first one in any way? ...

javascriptperformancefor-loop

Obtaining OSGi configuration values within a servlet

In my OSGI configuration file, I have defined three names. The goal is to retrieve these values in a servlet, alphabetically sort them, and then send the sorted response to an AJAX call for display in a custom AEM component. package com.demo.training.core. ...

ajaxservletsserviceosgiaem

The PHP response is constantly changing and adapting, creating

My webpage has a button that triggers an ajax request to a php page, all working well. I have a database called messages, with columns for "id", "receiver", "sender", and "message". Let's say there are two entries in the database where both the sender ...

phpjqueryajax

Here is an example of how to transfer a value from PHP to a jQuery function in the code snippet provided

This is an example of my code. It is functioning properly even without passing a value. function displayMessage(text) { alert(text); } <button type="button" id="button" class="btn btn-success" onclick="displayMessage("Hello");"> Click Me </ ...

javascriptphpjqueryajaxhtml

What could be causing the asynchronous function to return a pending promise even after using the await keyword?

I seem to be overlooking something as I cannot comprehend why my promise does not resolve. I have simplified the code to this basic example: ... console.log("before"); const promise = second(); console.log("after"); console.l ...

javascriptnode.jspromiseasync-await

Sending template reference from one Angular component to another

I have a main grid component that includes smaller grid-item components. The majority of these grid items navigate to a specific route when clicked. However, there is one particular item that should open a modal window instead of navigating. Is there a wa ...

javascriptangulartypescript

utilizing vuex store within a JavaScript document

Currently, I'm encountering an issue while attempting to access my store from a helper function file: import store from '../store' let auth = store.getters.config.urls.auth An error is being logged: Uncaught TypeError: Cannot read prop ...

javascriptvue.jsvuex

Understanding the lockfile: deciphering the significance of each line in the yarn.lock file

I'm curious about the meaning of each line in this file. I encountered issues with packages due to dependencies in my project. After upgrading nuxt from version 1x to 2x, all tests started failing. After spending hours searching online, I discovered ...

javascriptnpmyarnpkgpackage-managerslockfile

PreventDefault() equivalent: Proceeding with ActionLink function logic

<%: Html.ActionLink("Print", "Print", "Print", New With {.id = Model.ID}, New With {.target = "_blank", .class = "print"})%> Is there a way to ensure that the _blank page opens even after using preventDefault in the click event? $('#NameOfB ...

ajaxjsonpreventdefault

AngularJS single-page application with model-view-controller style designs

Hey there, I'm relatively new to AngularJS and currently on a steep learning curve. I've been working on developing an AngularJS SPA and have grasped the basics. I'm using ngRoute for routing and have put together a basic application framew ...

javascriptangularjslayoutngroute

Mastering intricate data structures using React.js

I am working on creating a table for orders using React+Redux. The data I need is stored in props and it has a structured format similar to this: [{ //stored in props(redux state) "id": 37, //order 1 "content": { "items": { " ...

javascriptjsonreactjs

The call is not being answered by the server route (NodeJS + express)

I have encountered an issue while setting up a server using NodeJS and Express. When I attempt to make a get request to the basic route ('http://localhost:3000/'), the request seems to hang indefinitely. Despite thoroughly reviewing my code multi ...

javascriptnode.jsexpresssockets