"Same origin policy" and scripts loaded from google - a vulnerable solution?

views:

288

answers:

+8 Q:

"Same origin policy" and scripts loaded from google - a vulnerable solution?

I read the question here in SO "jQuery Linking vs. Download" and I somehow don't get it.

What happens if you host a page on http://yourserver.com, but load jQuery library from http://ajax.googleapis.com and then use the functions defined in jQuery script?

Does "same origin policy" not count in this case? I mean, can you make AJAX calls back to http://yourserver.com?
Is the JavaScript being executed considered as coming from yourserver.com?

My point here is, you do not know what the user has downloaded from some third party server (sorry, Google), and still the code executing on his computer is as good as the one he would download from your server?

EDIT: Does it mean _that if I use a web statistics counter from a 3rd party I don't know very well, they might "inject" some code and call into my web services as if their code was part of mine?

+1 A:

Yes, the policy doesn't apply to <script> tags.

If someone was able to hack google's script store, it would affect every page served from every domain, that uses google.com as their host for scripts.

Cheeso 2010-01-19 13:26:33

the same origin policy is a set of rules for javascript.

Rook 2010-01-19 20:19:20

I understand what it is. My point is that it does not apply to scripts loaded from <Script> tags. a browser page can load <script> tags from wherever they point to.

Cheeso 2010-01-19 20:23:48

+5 A:

The owner of site http://yourserver.com/ should trust the content it references from other servers (in this case, Google's). The same origin policy doesn't apply to "script" tags.

Of course, the scripts of the foreign servers (once loaded) have access to the whole DOM: so, if the foreign content is compromised, there can be security exposures.

Has with many things in the web world, it comes down to trust and continuous management.

Edit:

Does it mean _that if I use a web statistics counter from a 3rd party I don't know very well, they might "inject" some code and call into my web services as if their code was part of mine?

Yes.

jldupont 2010-01-19 13:27:46

Thank you for the answer. I'm marking it as accepted, even though I still don't like the idea of 3rd party scripts being in my page. But, as you say, this comes down to trust... or no trust ;-)

naivists 2010-01-19 21:03:45

+2 A:

Answering the Edit comment: Yes. Unless the counter was wrapped in an iframe tag, it is as if it was a part of your web site and can call into your web services, access your cookies, etc.

Larry Osterman 2010-01-19 14:48:07

what role does the iFrame play here? If it is from the same domain, it can still do `window.parent.document.writeline("ur site iz hackd");` and, since cross-domain policy does not apply here, it will get executed

naivists 2010-01-19 20:56:43

naivists: You're right - an iframe hosted on the same domain is on the same domain. But the example given described a counter on a different domain in which case the cross domain policy applies.

Larry Osterman 2010-01-19 21:38:55

ansaurus

tags:

views:

answers:

"Same origin policy" and scripts loaded from google - a vulnerable solution?

related questions