CORS to JSONP - sgml/signature GitHub Wiki
Test URLs
| REST API | Description | Documentation Link |
|-------------------|----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
| Wikipedia API | Supports JSONP callbacks, allowing you to fetch data from Wikipedia and wrap it in a callback function. | [Wikipedia API Documentation](https://www.mediawiki.org/wiki/API:Main_page) |
| GitHub API | Supports JSONP for cross-origin requests by sending a `callback` parameter with GET calls. | [GitHub API Documentation](https://docs.github.com/en/[email protected]/rest/using-the-rest-api/using-cors-and-jsonp-to-make-cross-origin-requests) |
| dotCMS API | Supports JSONP for cross-domain calls by adding a `callback` parameter to the RESTful URL request. | [dotCMS API Documentation](https://docs.dotcms.com/docs/latest/docs/latest/content-api-jsonp) |
Security Testing Projects
Mediawiki
var apiEndpoint = "https://commons.wikimedia.org/w/api.php";
var params = "action=query&list=allimages&ailimit=3&format=json&callback=foo";
var script = document.createElement('script');
script.src = apiEndpoint + "?" + params;
document.body.appendChild(script);
script.onload = function() {
document.body.removeChild(script);
};
script.onerror = function(error) {
console.error('Error fetching data:', error);
document.body.removeChild(script);
};
References
Troubleshooting
-
Add comments
-
Understand the tests
-
Experiment on both sides of the equation
-
https://digital.gov/2014/07/14/working-with-apis-for-non-coders-recap/
-
https://www.usps.com/business/web-tools-apis/documentation-updates.htm
-
https://www.federalregister.gov/reader-aids/developer-resources/rest-api
-
https://developer.companieshouse.gov.uk/api/docs/index/gettingStarted/introductionToAPI.html
-
https://developers.arcgis.com/javascript/3/jshelp/inside_esri_request.html
-
https://www.gov.uk/guidance/gds-api-technical-and-data-standards
-
https://www.bing.com/api/maps/sdk/mapcontrol/isdk/geojsonreadexternal
CORS
- https://metacpan.org/pod/Plack::Middleware::CrossOrigin
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/07-Testing_Cross_Origin_Resource_Sharing.html
- https://chromium.googlesource.com/chromium/src/+/HEAD/android_webview/docs/cors-and-webview-api.md
- http://blogs.reliablepenguin.com/2017/04/13/test-cors-curl
- https://reqbin.com/req/c-taimahsa
- https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
- https://www.wikihow.com/Enable-Cross-Origin-Resource-Sharing-%28CORS%29-for-Sharing-Resource-Using-Apache-Servers%2C-PHP-and-Jquery
- https://cors-errors.info/faq
- https://www.w3.org/2011/webappsec/track/actions/46
- https://wiki.mozilla.org/Security/Origin
Github Issues
-
Same-origin policy and Cross-origin resource sharing (CORS) #80 - ajhsu/blog
-
Disable same origin policy #566 - responsively-org/responsively-app
-
[css-images] image-orientation:none violates same-origin policy #5165 - w3c/csswg-drafts
CSRF
- https://security.stackexchange.com/questions/9096/how-an-iframe-can-cause-xsrf
- https://security.stackexchange.com/questions/8099/is-it-possible-to-forge-a-post-request
- https://blog.codinghorror.com/cross-site-request-forgeries-and-you/
- https://security.stackexchange.com/questions/158045/is-checking-the-referer-and-origin-headers-enough-to-prevent-csrf-provided-that
- https://engineering.mixmax.com/blog/modern-csrf/