Databases
StackOverflow2013
Postsdbo
POhow to make a cross domain request that isnt forgeable
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POhow to make a cross domain request that isnt forgeable
    text
    copied!<p>I need to get some data from <code>Site B</code> into <code>Site A</code>'s server side. In order to make the request to <code>Site B</code> to retrieve the data, there are cookies associated with <code>Site B</code>'s domain which need to be present. I assume I therefore need to do this in javascript with JSONP?</p> <p>My ideas was to use JavaScript to make the request to <code>B</code> and then capture the result and stick it a cookie on <code>A</code>s domain such that subsequent requests to <code>A</code> would carry the cookie with the returned data (it doesnt matter that it takes two requests to <code>A</code> to get the information to <code>A</code>'s serverside). This would work fine, except its completely hackable. </p> <p>The data itself isn't secret but I need to prevent request forgery or people on <code>Site A</code> calling the JSONP callback function manually, or setting the <code>A</code> cookie manually with stolen or otherwise faked data. Also, is there any other loophole for hacking? This would also need preventing!</p> <p>The only way I can think of doing this is:</p> <p><code>Site A</code> generates a random token and stores it in the session. It then appends this token to the querystring of the JSONP request to <code>Site B</code>. <code>Site B</code> then responds but encrypts the usual data along with the token using digital signing. <code>Site A</code> then sticks this value in a cookie on <code>A</code>. In the next request to <code>A</code>, <code>A</code>s server side can capture the cookie, get the value, decrypt it, check the token and if it matches the value in the session, trust the rest of the data.</p> <p>Does this sound sensible? Is there an easier way? My goal is to reduce the complexity at <code>A</code>s end.</p> <p>Thanks</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload