cross site scripting XSS warnings in Chrome + IE

1963
7
11-16-2012 01:04 AM
SeanRyan
New Contributor
In Chrome + IE8 I get XSS warnings, because the javascript originates from my web server, and is making requests to different server (the ArcGIS map server).

In IE the (spurious) XSS warning is very obtrusive to users, as they have to click 'OK' in order to get past the warning.

In Chrome, the console logs the warning:

XMLHttpRequest cannot load http://<map host name>/ArcGIS/rest/info?f=json. Origin http://<myApp hostname>:10350 is not allowed by Access-Control-Allow-Origin.


Workaround:  I have a workaround, to use a proxy on my web server, and force ALL requests from javascript API to go through the proxy:

  esri.config.defaults.io.proxyUrl = "http://myHost/myApp/myArcGisProxy.ashx";
  esri.config.defaults.io.alwaysUseProxy = true;

however, there is a performance impact, as sending *all* requests through the proxy, slows down loading + refreshing the map.


Question: is there some way to use the ArcGIS javascript API, so to avoid this warning ?

I understand that in javascript, the standard way to avoid this issue, is to use JSONP or "JSON with padding" which jQuery provides out of the box.

is there some way to get ArcGIS javascript API to use JSONP ?

OR can the API be updated 🙂
0 Kudos
7 Replies
PaulBelew
New Contributor III
Hi!
Try to use dojo.io.script.get.
See the method description at dojo site.
0 Kudos
derekswingley1
Frequent Contributor
Hi Sean,

These messages:
XMLHttpRequest cannot load http://<map host name>/ArcGIS/rest/info?f=json. Origin http://<myApp hostname>:10350 is not allowed by Access-Control-Allow-Origin.


Are not "XSS warnings" but rather are related to the API trying to detect support for CORS. We've discussed why these errors are logged, and why you can ignore them a couple of times in the past. Please see this post for the background:  http://forums.arcgis.com/threads/60386-Access-Control-Allow-Origin-and-3.0?p=208466&viewfull=1#post2...

The error for CORS detection does not cause IE to display any dialog that requires a click from the user. You can confirm this by visiting any of our samples in IE, such as the terrain + dynamic layer. When I go there in IE 8 and 9, the page loads without any dialogs/warnings/errors.

Can you elaborate on what you're seeing in IE? Are you using mixed http and https resources?

As you've suggested, using a proxy for everything is not a good idea.

Regarding your question about JSONP, the API already uses it extensively. I talked about this more over on GIS.StackExchange:  http://gis.stackexchange.com/a/33177/124

Rather than knowing when to use JSONP and the various XHR options, we encourage our devs to use esri.request and let the API figure out which method (JSONP, xhrGet, xhrPost) to use to execute the request. We have more information on how esri.request works here in the "Under the hood" section:  http://help.arcgis.com/en/webapi/javascript/arcgis/help/jshelp/inside_esri_request.html
0 Kudos
SeanRyan
New Contributor
hi Derek

thank you for the information.

Unfortunately, am having difficulty reproducing the error.
It occurred during a demo, and not since !

note: I am using the javascript API + Feature Layer, so not making any custom direct requests to the ArcGIS server.

re: HTTPS - it is a SharePoint project, and there is javascript using https references, and they actually point to a different server!
so it looks like they are the cause of this message.


Question - would you know how to avoid / disable these warnings in IE8 ?0
I know the user can change a setting, but is there some other way ?

thanks for your help.

sean
0 Kudos
derekswingley1
Frequent Contributor

Question - would you know how to avoid / disable these warnings in IE8 ?0
I know the user can change a setting, but is there some other way ?


I'm still not sure of the specific error you're seeing in IE. Can you post a screen shot of what you're seeing? As I said initially, testing for CORS support logs a message to the browser's console and does not require any interaction from the user. If you're seeing security warnings, it's probably because you have mixed http and https resources in your page.
0 Kudos
SeanRyan
New Contributor
hi Derek

thanks for the reply.

Re: screenshot.
As soon as I can reproduce the error, I will get a screenshot.

Re: mixed https + http.
YES the page does have mixed https + http - so that is probably the cause of the security warning.
the warning occurred, even when just panning the map a bit.

Do you think is there a way to get IE8 to NOT show the security warning, when there are such mixed sources (http + https)

I think we need a screenshot before we can take this much further.....

thanks for your help

sean
0 Kudos
derekswingley1
Frequent Contributor

Re: mixed https + http.
YES the page does have mixed https + http - so that is probably the cause of the security warning.
the warning occurred, even when just panning the map a bit.

Are your map services using https? That is, do the URLs you pass to esri.layers.ArcGISDynamicMapServiceLayer or esri.layers.ArcGISTiledMapServiceLayer using https?


Do you think is there a way to get IE8 to NOT show the security warning, when there are such mixed sources (http + https)

I think we need a screenshot before we can take this much further.....

There is probably a way, but it's likely a per-client setting and not something you can control via your app. The best solution will be to make sure that all resources are accessed over https.
0 Kudos
SeanRyan
New Contributor
hi Derek

thanks for the help.

managed to reproduce this issue on Friday (but not this morning !).

We have a proxy, which is used to by ArcGIS js API, to relay request to ArcGIS server, when the request is too long ( > 2048 chars I think).

I think the IE warning box only shows, when our proxy is used:

IE shows warning.

�??This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?�?�

The warning occurs for me with IE8.

here is an example RAW dump from Fiddler2:

REQUEST (via Fiddler2)
POST http://webServer:10350/sites/Casper/_layouts/Shell.SharePoint.Casper/proxies/intDbSearch/ArcGisProxy... /ArcGIS/rest/services/Global/2D_Casper_Paleo/FeatureServer/0/query HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://webserver:10350/sites/Casper/InteractiveDBSearch.aspx
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0E; .NET4.0C)
Host: webserver:10350
Content-Length: 2075
Connection: Keep-Alive
Pragma: no-cache
Cookie: WSS_KeepSessionAuthenticated={8f7986a9-362d-4157-894e-9891cf1a3e22}; SPSessionGuid=1e5ee9ed-e452-401b-96cf-291f85247d8c; ASP.NET_SessionId=nof52uuqrotuzunzarmk5g3h

f=json&where=(RESID%20IN%20('1'%2C'92'%2C'183'%2C'274'%2C'365'%2C'456'%2C'547'%2C'638'%2C'729'%2C'820'%2C'911'%2C'1002'%2C'1093'%2C'1184'%2C'1275'%2C'1366'%2C'1457'%2C'1548'%2C'1639'%2C'1730'%2C'1821'%2C'1912'%2C'2003'%2C'2094'%2C'2185'%2C'2276'%2C'2367'%2C'2458'%2C'2549'%2C'2640'%2C'2731'%2C'2822'%2C'2913'%2C'3004'%2C'3095'%2C'3186'%2C'3277'%2C'3368'%2C'3459'%2C'3550'%2C'3641'%2C'3732'%2C'3823'%2C'3914'%2C'4005'%2C'4096'%2C'4187'%2C'4278'%2C'4369'%2C'4460'%2C'4551'%2C'4642'%2C'4733'%2C'4824'%2C'4915'%2C'5006'%2C'5097'%2C'5188'%2C'5279'%2C'5370'%2C'5461'%2C'5552'%2C'5643'%2C'5734'%2C'5825'%2C'5916'%2C'6007'%2C'6098'%2C'6189'%2C'6280'%2C'6371'%2C'6462'%2C'6553'%2C'6644'%2C'6735'%2C'6826'%2C'6917'%2C'7008'%2C'7099'%2C'7190'%2C'7281'%2C'7372'%2C'7463'%2C'7554'%2C'7645'%2C'7736'%2C'7827'%2C'7918'%2C'8009'%2C'8100'%2C'8191'%2C'8282'%2C'8373'%2C'8464'%2C'8555'%2C'8646'%2C'8737'%2C'8828'%2C'8919'%2C'9010'%2C'9101'%2C'9192'%2C'9283'%2C'9374'%2C'9465'%2C'9556'%2C'9647'%2C'9738'%2C'9829'%2C'9920'%2C'10011'%2C'10102'%2C'10193'%2C'10284'%2C'10375'%2C'10466'%2C'10557'%2C'10648'%2C'10739'%2C'10830'%2C'10921'%2C'11012'%2C'11103'%2C'11194'%2C'11285'%2C'11376'%2C'11467'%2C'11558'%2C'11649'%2C'11740'%2C'11831'%2C'11922'%2C'12013'%2C'12104'%2C'12195'%2C'12286'%2C'12377'%2C'12468'%2C'12559'%2C'12650'))%20%20and%20(UPPER(PERIOD)%20IN%20(UPPER('15Ma')))%20&returnGeometry=true&spatialRel=esriSpatialRelIntersects&geometry=%7B%22rings%22%3A%5B%5B%5B0.009211096912622451%2C-7884477.3515425995%5D%2C%5B0.009211096912622451%2C12153031.000457402%5D%2C%5B20037508.342788905%2C12153031.000457402%5D%2C%5B20037508.342788905%2C-7884477.3515425995%5D%2C%5B0.009211096912622451%2C-7884477.3515425995%5D%5D%2C%5B%5B-20037508.342788905%2C-7884477.3515425995%5D%2C%5B-20037508.342788905%2C12153031.000457402%5D%2C%5B-20037508.32436671%2C12153031.000457402%5D%2C%5B-20037508.32436671%2C-7884477.3515425995%5D%2C%5B-20037508.342788905%2C-7884477.3515425995%5D%5D%5D%2C%22spatialReference%22%3A%7B%22wkid%22%3A102100%7D%7D&geometryType=esriGeometryPolygon&inSR=102100&outFields=*&outSR=102100


RESPONSE (via Fiddler2)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
SPRequestGuid: 7b31666a-c6d0-4a56-ad6e-98d79df019b5
Set-Cookie: WSS_KeepSessionAuthenticated={8f7986a9-362d-4157-894e-9891cf1a3e22}; path=/
X-SharePointHealthScore: 0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 14.0.0.6109
Date: Mon, 10 Dec 2012 09:36:04 GMT
Content-Length: 8212

{"objectIdFieldName":"OBJECTID","globalIdFieldName":"","geometryType":"esriGeometryPoint","spatialReference":{"wkid":102100},"fields":[{"name":"OBJECTID","alias":"OBJECTID","type":"esriFieldTypeOID"},{"name":"BEGINSMA","alias":"BeginsMa","type":"esriFieldTypeDouble"},{"name":"ENDSMA","alias":"EndsMa","type":"esriFieldTypeDouble"},{"name":"APPEARANCE","alias":"APPEARANCE","type":"esriFieldTypeDouble"},{"name":"DISAPPEARA","alias":"DISAPPEARA","type":"esriFieldTypeDouble"},{"name":"BEGINS","alias":"Begins","type":"esriFieldTypeString","length":254},{"name":"ENDS","alias":"Ends","type":"esriFieldTypeString","length":254},{"name":"FIELDNAME","alias":"FieldName","type":"esriFieldTypeString","length":254},{"name":"RESUNIT","alias":"ResUnit","type":"esriFieldTypeString","length":254},{"name":"FIELDLAT","alias":"FieldLat","type":"esriFieldTypeDouble"},{"name":"FIELDLONG","alias":"FieldLong","type":"esriFieldTypeDouble"},{"name":"FIELDID","alias":"FieldID","type":"esriFieldTypeDouble"},{"name":"RESID","alias":"ResID","type":"esriFieldTypeDouble"},{"name":"FID_TM_PLATE_POLYGONS","alias":"FID_TM_plate_polygons","type":"esriFieldTypeInteger"},{"name":"PLATE_CODE","alias":"PLATE_CODE","type":"esriFieldTypeDouble"},{"name":"DESCRIPTIO","alias":"Descriptio","type":"esriFieldTypeString","length":254},{"name":"APPEARANCE_1","alias":"APPEARANCE_1","type":"esriFieldTypeDouble"},{"name":"DISAPPEARA_1","alias":"DISAPPEARA_1","type":"esriFieldTypeDouble"},{"name":"CVD.CASPER_CARBONATEFIELDS.AREA","alias":"CVD.CASPER_CARBONATEFIELDS.AREA","type":"esriFieldTypeDouble"},{"name":"PLATE_NAME","alias":"PLATE_NAME","type":"esriFieldTypeString","length":255},{"name":"PERIOD","alias":"PERIOD","type":"esriFieldTypeString","length":6}],"features":[{"geometry":{"x":1230243.9268671712,"y":4281391.6730669849},"attributes":{"OBJECTID":1502,"BEGINSMA":20.43,"ENDSMA":13.65,"APPEARANCE":25,"DISAPPEARA":-999,"BEGINS":"20.43�?� �?� �?� �?�}}]}

It looks like IE8 can somehow see that a proxy is being used, and that data is coming back from a server that is not the web server (i.e. the mapserver).

by the way - the IE warning only shows once per session (IE remembers the user's response) and the warning is spurious - it does not always show.


Perhaps you have seen this IE warning message before ?
I wonder is there anything that can be done to prevent the warning.

for example - could the proxy modify the response before streaming it to browser ?

regards
sean
0 Kudos