IEInternals

This blog is closed as of 2/2015. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14.

XDomainRequest - Restrictions, Limitations and Workarounds

XDomainRequest - Restrictions, Limitations and Workarounds

  • Comments 44

Update: Internet Explorer 10+ supports CORS using XMLHTTPRequest. IE11 deprecates the XDomainRequest object and it is not available in IE11 Edge mode.

In Internet Explorer 8, the XDomainRequest object was introduced. This object allows AJAX applications to make safe cross-origin requests directly by ensuring that HTTP Responses can only be read by the current page if the data source indicates that the response is public; in that way, the Same Origin Policy security guarantee is protected. Responses indicate their willingness to allow cross domain access by including the Access-Control-Allow-Origin HTTP response header with value *, or the exact origin of the calling page.

When designing the new object, our top priority was to ensure that existing sites and services would not be put at risk. To that end, we imposed a number of restrictions on what sort of requests can be made with the XDomainRequest object. Most of the restrictions are designed to help prevent Cross-Site Request Forgery (CSRF) attacks against legacy services.

The restrictions and the reasoning behind them are described by the rest of this post.

1. The target URL must be accessed using the HTTP or HTTPS protocols.

This one is simple—because the object relies on a HTTP response header for access control, the object requires that the target URL be HTTP or HTTPS so that it can examine the response headers to obtain permission to make the response available to the caller.

2. The target URL must be accessed using only the HTTP methods GET and POST

In order to ensure that the new object did not increase the attack surface against existing servers and services, we elected to restrict the HTTP methods (verbs) it may call to GET and POST. HTML 4.01 forms are restricted to these same methods, which means that any service which is at risk from the XDomainRequest object would also be vulnerable to attack from a cross-origin HTML Form. Since HTML Forms have existed for well over a decade, it’s assumed that applications have been hardened against attack from the GET and POST methods.

We could not assume that requests issued using other methods would be similarly handled by servers. Beyond that concern, most other methods that developers would hope to use (e.g. WebDAV / REST methods) also require sending custom HTTP Headers, and:

3. No custom headers may be added to the request

This restriction is similar to #2; we wanted to ensure that the XDomainRequest object would not allow an attacker to issue a request that a HTML Form could not issue. This is important because the Access-Control-Allow-Origin header isn’t available until after the response is returned, so there’s no way to tell before the request is issued whether or not the server is willing to accept cross-domain HTTP requests. Without these restrictions, a “Fire and Forget” CSRF attack could take place against a legacy server, even if the server doesn’t return the Access-Control-Allow-Origin header.

All XDomainRequest-issued requests are sent with an Origin header, indicating the Origin (scheme+hostname) of the caller.

4. Only text/plain is supported for the request's Content-Type header

In the original incarnation of the XDomainRequest object, we allowed specification of the Content-Type for a POST request. It was pointed out that this violated our goal of emitting only requests that HTML Forms can issue, because HTML Forms are limited to sending data in three different content types: text/plain, application/x-www-urlencoded, and multipart/form-data. In particular, it was pointed out that some AJAX server libraries would blindly assume that if they received a request with a SOAP or JSON Content-Type, then the client must either be trusted or Same Origin (because HTML itself previously offered no way to issue cross-origin requests with that Content-Type).

Unfortunately, when we fixed this problem in a later IE8 Beta, we went a bit too far; we restricted the content type to text/plain but didn’t allow the caller to specify that the data was in application/x-www-urlencoded form. This is problematic because server-side frameworks (e.g. ASP, ASPNET, etc) will only automatically parse a request’s fields into name-value pairs if the x-www-urlencoded content type is specified.

Note: As of 2014, XDomainRequest doesn't appear to send any Content-Type header at all. It's not clear to me when this changed.

To workaround this issue, server code that currently processes HTML Forms must be rewritten to manually parse the request body into name-value pairs when receiving requests from XDomainRequest objects. This makes adding support for the XDomainRequest object more difficult than it would be otherwise.

5. No authentication or cookies will be sent with the request

In order to prevent misuse of the user’s ambient authority (e.g. cookies, HTTP credentials, client certificates, etc), the request will be stripped of cookies and credentials and will ignore any authentication challenges or Set-Cookie directives in the HTTP response. XDomainRequests will not be sent on previously-authenticated connections, because some Windows authentication protocols  (e.g. NTLM/Kerberos) are per-connection-based rather than per-request-based.

Sites that wish to perform authentication of the user for cross-origin requests can use explicit methods (e.g. tokens in the POST body or URL) to pass this authentication information without risking the user’s ambient authority.

6. Requests targeted to Intranet URLs may only be made from the Intranet Zone

As the table in the documentation shows, XDomainRequest restricts Internet-Zone pages from making requests to Local Intranet-based resources. This security precaution isn’t directly enforced by HTML Forms, but Internet Explorer’s Zone Elevation security feature provides a similar protection for navigations, of which Form Submissions are simply a specialized type.

7. Requests must be targeted to the same scheme as the hosting page

This restriction means that if your AJAX page is at http://example.com, then your target URL must also begin with HTTP. Similarly, if your AJAX page is at https://example.com, then your target URL must also begin with HTTPS.

It was definitely our intent to prevent HTTPS pages from making XDomainRequests for HTTP-based resources, as that scenario presents a Mixed Content Security Threat which many developers and most users do not understand.

However, this restriction is overly broad, because it prevents HTTP pages from issuing XDomainRequests targeted to HTTPS pages. While it’s true that the HTTP page itself may have been compromised, there’s no reason that it should be forbidden from receiving public resources securely.

Worst of all, the Same Scheme restriction means that web developers testing their pages locally using the file:// scheme will find that all of the XDomainRequests are blocked because file:// doesn’t match either http:// or https://, which are the only valid target schemes (point #1). To workaround this issue, web developers must host their pages on a local web server (e.g. IIS, the Visual Studio hosting server, etc).

To workaround this limitation, you can build a postMessage-Proxy-for-XDR.

 

Despite the restrictions and unintended limitations, the XDomainRequest object provides powerful functionality. As servers that support the CORS specification become more common, the object will only get more useful.

Update: Internet Explorer 10 now supports CORS using XMLHTTPRequest which should be preferred to the now-deprecated XDomainRequest object.

-Eric

Note: We intended to support COMET-streaming with XDomainRequest, but AJAX developers may need to workaround one small bug in the object’s support for streaming responses.

Note: In IE8, all XDomainRequests will fail with an error when the user is browsing in InPrivate Browsing mode. This bug was fixed in Internet Explorer 9.

  • I want to send cross domain request from javascript on IE and it seems that MS XMLHTTPRequest won't subject to cross domain policy. I was trying to use XDomainRequest to access google.com and the callback function loadd is never called. According to msdn, "The document will request data from the domain's server by sending an Origin header with the value of the origin. It will only complete the connection if the server responds with an Access-Control-Allow-Origin header of either * or the exact URL of the requesting document ".  I used Fiddler to send auto response that include the Access-Control-Allow-Origin in the header and it workds. I look at the real response google returned and it does not include this in the header

    Does it really need the server to return repsonse with access-control-allow origin in the header in order to work?

    [EricLaw]: For security reasons, yes.

    If that's the case, how can we solve this problem if we send request to a server that is out of our control?

    [EricLaw]: For security reasons, you cannot; that's the point of the restriction-- the server must opt-in.

  • It seems the request sent by IE doesn't have any content-type header.

    Being forced to user text/plain is not a problem in itself, but I was expecting IE to send a header like this one :

    content-type = text/plain

    but it's not there :-/ so I have to mess with my server implementation :-/

  • I'm using XDR and responseText is populated. responseXML is not. The server is sending Content-type: text/xml It does have a BOM, however, on UTF-8 charset. Is XDR supposed to be automatically parsing and populating responseXML or not. One of your comments seems to indicate that an application can send whatever it likes, which only muddied the question for me.

    I guess for now, I'll fire up DOMParser and feed in the XML and pray.

  • @Richard: XDR doesn't have a responseXML property. If you want to parse an XML DOM from a response, do exactly as you've done-- parse the text as XML.

  • It is not clear for me: is the CORS header needed if the request is done to the same domain? The spec seems to say that the CORS header is mandatory. This would means that we need to determine if a request is to another domain and choose between XMLHttpRequest and XDomainRequest...

  • For some reason when I open the XDomainRequest on a clients computer it does not work, it works on their servers but not their local machines. Is there an IE setting I need to change?

    The exception is called TypeCast Error, it happens when this.xdr.open("POST", EndpointAddress); is called, and only on their login computers.

    Any ideas why?

    function CreateCrossDomainMessage(ExecuteExternalWebServiceClass, EndpointAddress, PostData) {

               new CrossDomainMessage(ExecuteExternalWebServiceClass, EndpointAddress, PostData);

           }

           function CrossDomainMessage(ExecuteExternalWebServiceClass, EndpointAddress, PostData) {

               this.ExecuteExternalWebServiceClass = ExecuteExternalWebServiceClass;

               this.xdr = new XDomainRequest();

               XDomainRequest.prototype.CrossDomainMessage = this;

               this.CrossDomainMessageLoaded = function () {

                   this.CrossDomainMessage.ExecuteExternalWebServiceClass.MessageReady(this.CrossDomainMessage.xdr.responseText);

               }

               this.CrossDomainMessageError = function () {

                   this.CrossDomainMessage.ExecuteExternalWebServiceClass.MessageError();

               }

               this.CrossDomainMessageTimeout = function () {

                   this.CrossDomainMessage.ExecuteExternalWebServiceClass.MessageTimeout();

               }

               this.xdr.open("POST", EndpointAddress);

               this.xdr.timeout = 20000;

               this.xdr.ontimeout = this.CrossDomainMessageTimeout;

               this.xdr.onerror = this.CrossDomainMessageError;

               this.xdr.onload = this.CrossDomainMessageLoaded;

               this.xdr.send(PostData);

           }

  • Eric,

    Can you give more detail explanation on how to implement postMessage-Proxy-for-XDR (or maybe some code example)? my application is invoked from customer web site, so I have no control on what http protocol they use.

    Second, there seems timing issue on the onload event, sporadically it is fired too early (before server send back response). Any suggestion to workaround?

  • @EricChang: The link I provided in my blog post *is* the code sample. Just View Source.

  • Hi EricLaw,

    We are developing a webservices based system, and we are using CORS to change data between diferent domains. But a particular behavior we presenced at IE 8 and IE 9, using XDomainRequest, is reporting a poor performance when consuming considerable data volume.

    For exemple: when handling 500Kb of data lenght (allways string data, text based info), IE works pretty fine. When handling 2.8Mb data lenght, both IE versions still going to work good. But then, as an application behavior, sometimes large data will be loaded: 6Mb, 14Mb, and even 20Mb. At those points, performance goes down increasily, and as bigger are the data, slower is the transfer time. Sometimes, Windows OS points IE hangs up (what is not true: in fact, if you stay wainting for the response "onload" event, it will be fired, at some time).

    So, i would like to know if this issue is a knowlegment, someone else have this problem too, and if is there something that whe can do to make big data responses faster when using XDomainRequest.

    Note: at other browsers, XMLHttpRequest Level 2 based, this behavior does not happen.

    Thank you

    Fwendt

  • How do I get more error details when onerror callback is called?

  • I am facing a serious problem with XDomainRequest POST, Can you please let me know how can i set my reuest's body like this?

    I m trying to post some data into AMAZON S3 server.

    This POST body also contains a file object. Please help!!!

    -----------------------------98942870323811 Content-Disposition: form-data; name="policy" eyJleHBpcmF0aW9uIjogIjIwMTItMTItMTJUMDA6MDA6MDBaIiwgImNvbmRpdGlvbnMiOiBbICB7ImJ1Y2tldCI6ICJ1cGxvYWRzLW1vZHJpYS1jb20ifSAsWyJzdGFydHMtd2l0aCIsICIka2V5IiwgInVwbG9hZHMvIl0sIHsiYWNsIjogInByaXZhdGUifSwgWyJzdGFydHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgIiJdLCBbImNvbnRlbnQtbGVuZ3RoLXJhbmdlIiwgMCwgMjA5NzE1MjBdIF0gfQ== -----------------------------98942870323811 Content-Disposition: form-data; name="signature" XXXXXXXXXXXXXXXXXXXX -----------------------------98942870323811 Content-Disposition: form-data; name="Content-Type" application/octet-stream -----------------------------98942870323811 Content-Disposition: form-data; name="file"; filename="raee.txt" Content-Type: text/plain

    EricLaw: Sorry, you won't be able to use XDR for this, due to problem #4. Multipart-MIME uploads require that you set the proper Content-Type header with the boundary marker. XDR forbids that.

  • My website uses Amazon S3 to store not only my CSS files but FONT as well.  All browsers work just fine with this except IE (8,9,10). Apparently when IE loads my CSS from from AWS3 and then that file wants to load a FONT file from AWS3 IE blocks it. I have a temporary (lousy...) fix to put the CSS file on my server and not host it on AWS3. Now all flavors of IE work properly as do all the other browsers that worked before.

    Obviously, this cripples my use of a CDN to host my static resources and to be able to take advantage of CloudFront, etc.

    So, my question is why does only IE act like this and what, if anything, can I do to fix it and re-host my CSS file on AWS3 as well as the FONT??

    [EricLaw]: Hit F12 to open the DevTools and look at the console tab for the error message. You almost certainly forgot to add the Access-Control-Allow-Origin header on the response. See e.g. http://stackoverflow.com/questions/5008944/how-to-add-an-access-control-allow-origin-header

  • Eric, you answered my comment/issue (Art 29-Jan) telling me to put in Access-Control-Allow-Origin header but that's the first thing I tried. That is not the problem here.

    IE is failing to accept the fact that a CSS file hosted on AWS and downloaded using the CORS protocol (Access-Control-Allow-Origin header) *and* then is asked to load a font via @font-face from the same place on AWS.  The CSS file is downloaded and used just fine but the font file requested in that CSS file is not being accessed.

    There is some quirk in IE that doesn't handle this situation (I've tested IE 9,10).

    EricLaw: Sorry, no. This configuration works fine and is used by thousands of sites every day. Feel free to email me if you'd like me to debug it for you.

  • <summarized>I have written a widget using KendoUI and it works awesome in browsers that support CORS. I can't use XDR without writing a bunch of code. What should I do? </summarized>

    EricLaw: Use Internet Explorer 10, which supports CORS for XHR, like all of its current-version competitors. In older versions, you can either write new code to use XDR or Flash or myriad other workarounds.

  • The full solution to get XDomainRequest working includes ensuring all of the event handlers are attached as well as placing the send method on a separate thread using setTimeout.  As described here - social.msdn.microsoft.com/.../30ef3add-767c-4436-b8a9-f1ca19b4812e.

    EricLaw: setTimeout doesn't change the thread, it simply queues the operation for later execution by the same UI thread. If you have a repro site that actually demonstrates this problem, I'd love to see it (email me) and determine whether an IE bug actually exists here. I've never seen any such issue.

Page 2 of 3 (44 items) 123