Search code examples
javascriptnetwork-security

Can JavaScript safely fetch data from untrusted domains?

My webpage has a need to fetch data in a client-side-initiated way from domains which may (sometimes**) be untrusted/attacker-controlled.

Does JavaScript allow to [safely] fetch data* from a domain which may be untrusted or attacker-controlled?

If so, what function is this?

Clarifications / Addendums / "inb4"s / P.S.:

*The data fetch protocol/format is not [yet] defined; not even as far as HTTP GET vs POST. I have no preference on the data format and may choose+implement it as required/appropriate, inclusive even of plaintext/delimited formats. There is no requirement to use JSON.

**Technically, the domains (which may be arbitrary/user-defined!) must sometimes be loaded over HTTP; this threat model is isomorphic to fetching data from adversarial servers, especially in the context of roaming non-VPN'd network connections. (And, yes, the safe-handling of said untrusted data afterwards is out-of-scope of this question)

XY Problem "X": the driving project here is a web browser homepage/app which will load content (ranging from preferences and trivial widgets to outright content) from sources which may be user-controlled and may (at the user's option) reside on even non-ICANN domains (such as local domains, OpenNIC domains, etc.) It is entirely within-scope and expected/acceptable that some of this content will only be served via TLS, and may serve a variety of purposes ranging from "canaries" (of both MITM presence, and mere network configuration checking) to outright location-specific data. TLS connections may or may not be available due to the aforementioned suite of reasons [that the domains are not pre-defined]; and there is content which must/ought/will be loaded even despite this case.

This is not a duplicate of #29022794. I have no requirement to use JQuery, and that question only asks whether $.getJSON() is safe to use on untrusted URLs (which, a. it does NOT seem to be; and b. even if it were, this question would be asking after the underlying function [that JQuery is calling], rather than asking how to use JQuery per se).

Solution

  • Penciling in a circumstantial yes: XMLHttpRequest appears to be safe to call on untrusted domains.

    Justifications:

    See OWASP's page on AJAX vulnerabilities:

    • Makes no mention of threats posed to a client by [this sort of] maliciously crafted server response; the only client-side risk(s) listed are injections of one sort or another.

    See also this similar question on Security Stack Exchange

    • OP's very question (whether it is safe to parse an XMLHttpRequest to an attacker-controlled server as JSON) necessarily assumes that it's safe to receive such.
    • Two users commented several times on the issue, discussing the implications of parsing said response, and at no point questioned this underlying assumption, only commenting on similar XSS injection attacks to those discussed by OWASP.
      • ThoriumBR (>5y member, 99.8th-percentile 2019 Information Security Stack Exchange user)
      • Ry (>8y member, Stack Overflow moderator)

    While it's very hard to "prove" a negative, especially with security issues, the fact that there's an ocean of content online discussing risks involved in parsing potentially malicious responses (XSS injection prevention), dealing with the risks to the servers of such (CORS), etc.; without, apparently, even one scrap of discussion on this, means it's probably not one of the risks.