Reputation: 671
Using embedded JS (CORS+AJAX requests) to log in securely across domains
- Imagine I run
sso.com, one central site for sign-on, with a CORS-enabled API - I want to run 20+ static websites (e.g. generated by Jekyll, Hugo) on other domains, e.g.
static1.org,static2.net. - Is it possible and is it safe to render client-side "Logged in as X", "Go To My Dashboard" (etc) on those static sites?
- I imagine they would need to perform an cross-domain AJAX request to
sso.com. - This would check cookies and fetch authenticated user data.
- It could then drop widgets into the static page. Mostly those widgets would link across to
sso.com.
- I imagine they would need to perform an cross-domain AJAX request to
I am unable to find any examples of this scenario being done in practice. Is that because it's actually a security problem? Would we need to be very careful about the approved list of CORS domains?
Upvotes: 2
Views: 146
Answers (1)
Reputation: 7165
This sounds like how data is served to big websites (Facebook, Google, etc).
As far as security goes, as long as you are authenticating server-side, and making sure that crucial account actions (saving things to the database, altering the database etc etc) are done server-side, then you should be perfectly safe in doing this.
The key here is just making sure that sensitive data is handled by the server and not the client. If you keep that in mind, you can build the application with security in mind. Also, never trust user input.
I hope this helps!
Upvotes: 1
Related Questions
- Stop all active ajax requests in jQuery
- Uploading both data and files in one form using Ajax?
- What is the motivation behind the introduction of preflight CORS requests?
- Abort Ajax requests using jQuery
- Wait until all jQuery Ajax requests are done?
- How many concurrent AJAX (XmlHttpRequest) requests are allowed in popular browsers?
- Is CORS a secure way to do cross-domain AJAX requests?
- CORS header for API with a lot of clients
- jQuery: Performing synchronous AJAX requests