htmlsecurityhttpcsrfsame-origin-policy

Cross Domain Form POSTing


I've seen articles and posts all over (including SO) on this topic, and the prevailing commentary is that same-origin policy prevents a form POST across domains. The only place I've seen someone suggest that same-origin policy does not apply to form posts, is here.

I'd like to have an answer from a more "official" or formal source. For example, does anyone know the RFC that addresses how same-origin does or does not affect a form POST?

clarification: I am not asking if a GET or POST can be constructed and sent to any domain. I am asking:

  1. if Chrome, IE, or Firefox will allow content from domain 'Y' to send a POST to domain 'X'
  2. if the server receiving the POST will actually see any form values at all. I say this because the majority of online discussion records testers saying the server received the post, but the form values were all empty / stripped out.
  3. What official document (i.e. RFC) explains what the expected behavior is (regardless of what the browsers have currently implemented).

Incidentally, if same-origin does not affect form POSTs - then it makes it somewhat more obvious of why anti-forgery tokens are necessary. I say "somewhat" because it seems too easy to believe that an attacker could simply issue an HTTP GET to retrieve a form containing the anti-forgery token, and then make an illicit POST which contains that same token. Comments?


Solution

  • The same origin policy is applicable only for browser side programming languages. So if you try to post to a different server than the origin server using JavaScript, then the same origin policy comes into play but if you post directly from the form i.e. the action points to a different server like:

    <form action="http://someotherserver.com">
    

    and there is no javascript involved in posting the form, then the same origin policy is not applicable.

    See wikipedia for more information