Is it safe to use $.support.cors = true; in jQuery?

Question

I was trying to hit a web service on a different domain using jQuery\'s ajax method. After doing some research it looks like it does not allow this is by design to prevent

Answer 1

It can help only if you have CORS enabled in your browser but it isn't supported by jQuery yet:

To enable cross-domain requests in environments that do not support cors yet but do allow cross-domain XHR requests (windows gadget, etc), set $.support.cors = true;. CORS WD

Just setting this property to true can't cause security vulnerability.

Answer 2

XSS is not a feature that can be enabled in jQuery. It would be very very unusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS.

"Cross-Origin Resource Sharing" or CORS isn't the same as XSS, BUT, but if a web application had an XSS vulnerability, then an attacker would have CORS-like access to all resources on that domain. In short, CORS gives you control over how you break the same origin policy such that you don't need to introduce a full on XSS vulnerability.

The $.support.cors query feature relies upon the Access-Control-Allow-Origin HTTP response header. This could be a vulnerability. For example, if a web application had Access-Control-Allow-Origin: * on every page, then an attacker would have the same level of access as an XSS vulenrablity. Be careful what pages you introduce CORS headers, and try and avoid * as much as possible.

So to answer your question: NO a web application never needs to introduce an XSS vulnerability because there are way around the SOP such as CORS/jsonp/cross domain proxies/access-control-origin.

Answer 3

When a hacker is able to inject script code to change the requests to another domain, he is also able to set this javascript flag in the script.

So wether this flag is set doesn't change much at this point of the intrusion.