Cross Domain Form POSTing

Question

I ve seen articles and posts all over  including SO  on this topic  and the prevailing commentary is that same-origin policy prevents a form POST across domains   The only place I ve seen someone suggest that same-origin policy does not apply to form posts  is here   I d like to have an answer from a more  official  or formal source   For example  does anyone know the RFC that addresses how same-origin does or does not affect a form POST   clarification  I am not asking if a GET or POST can be constructed and sent to any domain   I am asking    if Chrome  IE  or Firefox will allow content from domain  Y  to send a POST to domain  X  if the server receiving the POST will actually see any form values at all   I say this because the majority of online discussion records testers saying the server received the post  but the form values were all empty   stripped out  What official document  i e  RFC  explains what the expected behavior is  regardless of what the browsers have currently implemented     Incidentally  if same-origin does not affect form POSTs - then it makes it somewhat more obvious of why anti-forgery tokens are necessary   I say  somewhat  because it seems too easy to believe that an attacker could simply issue an HTTP GET to retrieve a form containing the anti-forgery token  and then make an illicit POST which contains that same token   Comments

User · Answer

Same origin policy has nothing to do with sending request to another url (different protocol or domain or port).

It is all about restricting access to (reading) response data from another url. So JavaScript code within a page can post to arbitrary domain or submit forms within that page to anywhere (unless the form is in an iframe with different url).

But what makes these POST requests inefficient is that these requests lack antiforgery tokens, so are ignored by the other url. Moreover, if the JavaScript tries to get that security tokens, by sending AJAX request to the victim url, it is prevented to access that data by Same Origin Policy.

A good example: here

And a good documentation from Mozilla: here

User · Answer

The same origin policy is applicable only for browser side programming languages  So if you try to post to a different server than the origin server using JavaScript  then the same origin policy comes into play but if you post directly from the form i e  the  action points to a different server like    lt form action  http   someotherserver com  gt    and there is no javascript involved in posting the form  then the same origin policy is not applicable    See wikipedia for more information

User · Answer

It is possible to build an arbitrary GET or POST request and send it to any server accessible to a victims browser   This includes devices on your local network   such as Printers and Routers    There are many ways of building a CSRF exploit   A simple POST based CSRF attack can be sent using  submit   method    More complex attacks   such as cross-site file upload CSRF attacks will exploit CORS use of the xhr withCredentals behavior   CSRF does not violate the Same-Origin Policy For JavaScript because the SOP is concerned with JavaScript reading the server s response to a clients request   CSRF attacks don t care about the response   they care about a side-effect  or state change produced by the request   such as adding an administrative user or executing arbitrary code on the server   Make sure your requests are protected using one of the methods described in the OWASP CSRF Prevention Cheat Sheet   For more information about CSRF consult the OWASP page on CSRF

[html] Cross Domain Form POSTing

Examples related to html

Examples related to security

Examples related to http

Examples related to csrf

Examples related to same-origin-policy