Client HTTP Post to external sites

+2 A:

I don't think so: You won't get hold of the user's auth cookies on the third party site from server side (because of the Single Origin Policy) and you can't make Ajax requests to the third party site.

The best you can do is probably create a <form> (maybe in an <iframe>), point it to the third party site, populate it with data, and have the user submit it (or auto-submit it). You will not be able to get hold of the request results programmatically (again because of the Single Origin Policy), but maybe it'll do - you can still show the request results to the user.

Pekka 2010-08-03 19:34:42

@Pekka you bring up an interesting thought right now that I have never stopped to think about before. So I can't behind the scenes submit a form and get back results on behalf of the user, say uysing ajax. But...if I had a hidden iframe in my site that read cookies from the machine, posted a form to a remote site, scraped the screen with javascript for some juicy information, then posted another hidden form to my site that was recording that information that would be ok. Am I missing something in security that I am just overlooking? It can't be that easy can it?

spinon 2010-08-03 19:39:48

@spinon You can't do it for any properly programmed web site (what you want to do is a cross site request forgery).

Artefacto 2010-08-03 19:41:32

@spinon no, that's not possible because you can't access any part of the document using Javascript. You can't even fetch single pixels from it: http://stackoverflow.com/questions/1936021/javascript-eyedropper-tell-colour-of-pixel-under-mouse-cursor

Pekka 2010-08-03 19:42:30

@Artefacto My interest has been peaked. What do you mean by properly programmed website? I still am not seeing what would prevent me from doing something like this? I am sure there must be something I am missing?

spinon 2010-08-03 19:43:33

@Pekka oh ok that is right. Now I remember that. I knew I was missing something. Thanks for cleaning up my brain fart. Duh!!

spinon 2010-08-03 19:44:13

@spinon A form submission made from another site should not be possible in a site that generates a token per form display (or even per session) and then validates that token on form submission. Google for CSRF. I don't know much about Javascript, but additionally, according to what Pekka claims, even if the form submission succeed, you wouldn't be able to read the result back.

Artefacto 2010-08-03 19:46:46

@Artefacto you are right: Using a form this way *is* a form of CSRF - albeit a legitimate one.

Pekka 2010-08-03 19:48:15

@Pekka yeah I know about that approach but in practice I don't think a lot of smaller sites are using it.

spinon 2010-08-03 20:15:37

@Pekka, @Artefacto thanks for the JS Security 101 lesson. :P

spinon 2010-08-03 20:42:03

A:

I think for obvious reasons this is not allowed. If this was allowed what would stop a malicious person from posting form data from a person's browser to any number of sites in some hidden iframe or popup window.

If this is a design of your application you need to rethink what you are trying to accomplish.

EDIT: As @Pekka was pointing out I know you can submit a form to a remote site using typical form submits. I was referring to using some client side ajax solution. Sorry for the confusion.

spinon 2010-08-03 19:36:28

It's no problem to post form data from a person's browser to an external site. It's just impossible to make a full Ajax request to one, and get the response back programmatically.

Pekka 2010-08-03 19:38:27

@Pekka yeah that is what I was trying to say just not as clearly. Read the comment I left on yours though about something I never thought about before.

spinon 2010-08-03 19:40:39

A:

You should follow the way OpenID and other single-sign-on system works. How openID works is your website POSTs some token to openID service and in return gets authentication result. Refer How Does it Work? section here

Ankit Jain 2010-08-03 19:38:08

Will probably not work because he doesn't control the external site he needs to make the request to.

Pekka 2010-08-03 19:40:57

A:

The client cannot post to an external site directly; it's a breach of basic cross-domain security models. The exception is accessing javascript with JSONP. What you describe would require access to a user's cookies for another website, which is impossible as the browser only allows cookie access within the same domain/path.

You would need to use a server-side proxy to make cross-domain requests, but you still cannot access external cookies: http://jquery-howto.blogspot.com/2009/04/cross-domain-ajax-querying-with-jquery.html

Ian Wetherbee 2010-08-03 19:38:59

The server-side proxy won't really help either, because there are authentication cookies in the client's browser he seems to need to use for the operation.

Pekka 2010-08-03 19:40:06

I said access to cookies is impossible, which includes client+server side methods.

Ian Wetherbee 2010-08-03 20:05:18

A:

Yes, you can use a special flash library that supports cross-domain calls: YUI connection manager

Added: not sure about the cookie authentication issue though...

Larry K 2010-08-03 19:43:20

This sounds good, but I think Flash doesn't use the browser's cookies when making the request. It might be possible to add them manually, though.

Pekka 2010-08-03 19:46:47

The key thing here are the cookies. If they weren't required he could as well setup a reverse proxy in his domain.

Artefacto 2010-08-03 20:02:48

ansaurus

tags:

views:

answers:

Client HTTP Post to external sites

related questions