Before we move on to discussing some browser-side attack techniques, we should probably clarify that there are lots of ways to make cross-origin calls other than the ones we’ve talked about here. Technically, all script code needs to make a cross-origin request is a way for it to send an HTTP GET message, and there are dozens of ways to do this. The catch is that just being able to send a cross-origin request usually isn’t useful unless you’re able to read the response. But the operative word here is “usually.”
If an attacker is trying to steal your private information like your bank account number, and he can’t get the bank to send it to him directly, maybe he can take an alternative tack and trick you into sending it to him. And in this case, you won’t even need to wire a money order to someone claiming to be the Prime Minister of Nigeria—all you’ll have to do is visit a vulnerable web site, and your browser will silently and automatically send the attacker the information he’s looking for. In the next chapter, we’ll look at the most popular browser-based attacks designed to bypass the same-origin policy: cross-site scripting and cross-site request forgery.
Defining the same-origin policy
Which request components define an origin
How different browsers define origin in different ways
Why we need the same-origin policy: taking a look at a world without it
Exceptions to the same-origin policy
The HTML <script> element
JSON and JSONP
iframes and JavaScript’s document.domain property
Adobe Flash cross-domain policy file
Microsoft Silverlight client access policy file
XMLHttpRequest (Ajax) and cross-origin resource sharing (CORS)
Internet Explorer’s XDomainRequest