[Solved] Is it safe to use $.support.cors = true; in jQuery?

I was trying to hit a web service on a different domain using jQuery’s ajax method. After doing some research it looks like it does not allow this is by design to prevent cross site scripting.

I came across a work around which was to include this line:

$.support.cors = true;

at the top of my javascript code. From what I understand this enables cross site scripting in jQuery.

Does having this line of code make my site more vulnerable to attack? I’ve always heard XSS discussed as a security issue, are there legitimate uses for XSS?

Solution #1:

XSS is not a feature that can be enabled in jQuery. It would be very very unusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS.

“Cross-Origin Resource Sharing” or CORS isn’t the same as XSS, BUT, but if a web application had an XSS vulnerability, then an attacker would have CORS-like access to all resources on that domain. In short, CORS gives you control over how you break the same origin policy such that you don’t need to introduce a full on XSS vulnerability.

The $.support.cors query feature relies upon the Access-Control-Allow-Origin HTTP response header. This could be a vulnerability. For example, if a web application had Access-Control-Allow-Origin: * on every page, then an attacker would have the same level of access as an XSS vulenrablity. Be careful what pages you introduce CORS headers, and try and avoid * as much as possible.

So to answer your question: NO a web application never needs to introduce an XSS vulnerability because there are way around the SOP such as CORS/jsonp/cross domain proxies/access-control-origin.

Respondent: Abe Miessler
Solution #2:

It can help only if you have CORS enabled in your browser but it isn’t supported by jQuery yet:

To enable cross-domain requests in environments that do not support
cors yet but do allow cross-domain XHR requests (windows gadget, etc),
set $.support.cors = true;. CORS WD

Just setting this property to true can’t cause security vulnerability.

Respondent: rook
Solution #3:

When a hacker is able to inject script code to change the requests to another domain, he is also able to set this javascript flag in the script.

So wether this flag is set doesn’t change much at this point of the intrusion.

Respondent: bjornd
The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 .

Leave a Reply

Your email address will not be published.