Cross Domain Form POSTing

Question

I ve seen articles and posts all over  including SO  on this topic  and the prevailing commentary is that same-origin policy prevents a form POST across domains   The only place I ve seen someone suggest that same-origin policy does not apply to form posts  is here   I d like to have an answer from a more  official  or formal source   For example  does anyone know the RFC that addresses how same-origin does or does not affect a form POST   clarification  I am not asking if a GET or POST can be constructed and sent to any domain   I am asking    if Chrome  IE  or Firefox will allow content from domain  Y  to send a POST to domain  X  if the server receiving the POST will actually see any form values at all   I say this because the majority of online discussion records testers saying the server received the post  but the form values were all empty   stripped out  What official document  i e  RFC  explains what the expected behavior is  regardless of what the browsers have currently implemented     Incidentally  if same-origin does not affect form POSTs - then it makes it somewhat more obvious of why anti-forgery tokens are necessary   I say  somewhat  because it seems too easy to believe that an attacker could simply issue an HTTP GET to retrieve a form containing the anti-forgery token  and then make an illicit POST which contains that same token   Comments

User · Answer

It is possible to build an arbitrary GET or POST request and send it to any server accessible to a victims browser. This includes devices on your local network, such as Printers and Routers.

There are many ways of building a CSRF exploit. A simple POST based CSRF attack can be sent using .submit() method. More complex attacks, such as cross-site file upload CSRF attacks will exploit CORS use of the xhr.withCredentals behavior.

CSRF does not violate the Same-Origin Policy For JavaScript because the SOP is concerned with JavaScript reading the server's response to a clients request. CSRF attacks don't care about the response, they care about a side-effect, or state change produced by the request, such as adding an administrative user or executing arbitrary code on the server.

Make sure your requests are protected using one of the methods described in the OWASP CSRF Prevention Cheat Sheet. For more information about CSRF consult the OWASP page on CSRF.

User · Answer

The same origin policy is applicable only for browser side programming languages  So if you try to post to a different server than the origin server using JavaScript  then the same origin policy comes into play but if you post directly from the form i e  the  action points to a different server like    lt form action  http   someotherserver com  gt    and there is no javascript involved in posting the form  then the same origin policy is not applicable    See wikipedia for more information

User · Answer

Same origin policy has nothing to do with sending request to another url  different protocol or domain or port    It is all about restricting access to  reading  response data from another url  So JavaScript code within a page can post to arbitrary domain or submit forms within that page to anywhere  unless the form is in an iframe with different url    But what makes these POST requests inefficient is that these requests lack antiforgery tokens  so are ignored by the other url  Moreover  if the JavaScript tries to get that security tokens  by sending AJAX request to the victim url  it is prevented to access that data by Same Origin Policy   A good example  here  And a good documentation from Mozilla  here

[html] Cross Domain Form POSTing

Examples related to html

Examples related to security

Examples related to http

Examples related to csrf

Examples related to same-origin-policy