Let's say I have a domain, js.mydomain.com, and it points to some IP address, and some other domain, requests.mydomain.com, which points to a different IP address. Can a .js file downloaded from js.mydomain.com make Ajax requests to requests.mydomain.com?
How exactly do modern browsers enforce the same-domain policy?
The short answer to your question is no: for AJAX calls, you can only access the same hostname (and port / scheme) as your page was loaded from.
There are a couple of work-arounds: one is to create a URL in foo.example.com that acts as a reverse proxy for bar.example.com. The browser doesn't care where the request is actually fulfilled, as long as the hostname matches. If you already have a front-end Apache webserver, this won't be too difficult.
Another alternative is AJAST, which works by inserting script tags into your document. I believe that this is how Google APIs work.
You'll find a good description of the same origin policy here: http://code.google.com/p/browsersec/wiki/Part2
This won't work because the host name is different. Two pages are considered to be from the same origin if they have the same host, protocol and port.
From Wikipedia on the same origin policy:
The term "origin" is defined using the
domain name, application layer
protocol, and (in most browsers) TCP
port of the HTML document running the
script. Two resources are considered
to be of the same origin if and only
if all these values are exactly the
same.
Related
Suppose that my computer is not compromised. If somebody is listening somewhere between my computer and the server (my ISP for example), what can they see of my HTTPS connection?
I assume they can see the domain (e.g. google.com).
But what about the specific site I'm browsing (e.g. /wiki/Privacy in https://en.wikipedia.org/wiki/Privacy)?
What about the subdomain (e.g. en in https://en.wikipedia.org/wiki/Privacy)?
What about GET parameters, everything after the '?' (e.g. https://www.google.com/search?q=privacy). Can they see what I search on google?
Please feel free to add more info in case I've missed to ask something relevant.
Example: https://www.google.com/search?q=privacy
They can see
The full domain (domain or subdomain, here "www.google.com")
The ip of the contacted domain
The approximate size of the exchanged data
The duration of the exchange(s)
They cannot see:
The path (the part of the url after the domain, here "/search")*
The GET or POST parameters (here "?q=privacy")
The content of the answer
The cookies
*After a bug in proxy discovery, the path and GET parameters may be transmitted in plain text (http://www.securitynewspaper.com/2016/08/01/proxy-pac-hack-allows-intercept-https-urls/).
And with the approximate size of the exchanged data, it may be possible to infer witch pages were visited.
Is it possible to route dns to different servers based on the protocol of the request without using a proxy server?
For example wss://example.com goes to 1 server and https://example.com goes to a different one.
In principle no, this is not possible. Although there are exceptions.
When you an application and request a network address, e.g. example.com the application will (typically) pass on a request to the OS to open a connection to that address.
Because the OS can only make a connection to an IP Address, the first thing it does is to make a DNS request to find out the address it can connect to. There is no mechanism at all, to tell that DNS request what protocol is being requested. At the point the OS makes the DNS request it is simply, 'What is the address for example.com' there is no space in the body of the message for more information.
In that sense it is not possible.
However there are a few services that use SRV records to find the server they need to connect to.
In these cases the application will say to the OS 'get me the SRV record for _somefancyservice.example.com' When it has that record, it will then send another request to the OS to open a connection the whatever it found in the SRV record.
So you could, in theory, write an application that performed the SRV record query first, and then opened a connection to whatever was returned.
I wrote a more detailed answer specifically about wss, which you may find interesting.
Rather than just read theory, I decided to test how JQuery's CDN reduces website latency. My method is pretty basic.
Assuming a web developer places the following JQuery (CDN) tag on a web page:
<script src="//code.jquery.com/jquery-1.12.0.min.js"></script>
The DNS lookup for code.jquery.com should return the IP of the closest (proxy / caching / CDN) server depending on where I'm located in the World.
I have two IP addresses.
At work I go through a proxy, my IP maps to the United States. Using my phone's cellular connection, my IP address maps to the United Kingdom (I am located in the UK). I tested this multiple times.
Using both connections, I performed a DNS lookup on code.jquery.com. On both occasions, the IP of a server in United States was returned:
code.jquery.com is an alias for code.jquery.netdna-cdn.com.
code.jquery.netdna-cdn.com has address 94.46.159.11
I assumed a DNS lookup would return a proxy server in Europe (when my IP maps to the United Kingdom) and jquery-1.12.0.min.js is served from the closes edge server.
Update
I found the article, Different CDN technologies: DNS Vs Anycast Routing, incredibly useful and I wanted to include it here for others. It covers to two methods for ensuring a user hits an edge caching server that's geographically nearby.
I get the same IP from my location (Latvia). But I asked guys from jquery cdn provider (which is maxcdn.com). An they told me this:
Though the IP itself is registered in US, it's not a standard unicast IP.
This one uses the anycast system, which means it resolves to multiple locations at the same time.
The easiest way you can check that is to do a tracroute to 94.46.159.11
the traceroute will end up in Europe on one of our EU servers.
I've traced the request, and ended up in Frankfurt.
This is a "Blocked Port 80" related question, but maybe something a bit unique. I've yet to find a good answer. It's more academic than anything as I know running a production server at your house is a ridiculous idea.
I'm running a development server (LAMP) at my home but my ISP blocks port 80. The DNS for my domain is set up to "URL Redirect" to my IP and port number. My router is port-forwarding to my server, and I have Apache set up so it's listening on port 8081.
The issue is that when you access the domain, the URL in the browser is resolved from my domain name to the IP and port number, and is displayed as such. For example, you type "www.banana.com" into the browser, the site is displayed but now the URL is shown as "12.23.456.11:8081".
Is there any way to fix this so that the domain name does not become IP and port number?
Can you use Apache proxy functionality somehow?
Could you use mod_rewrite to change the IP and port number back to the domain name?
Thanks in advance!
This question has three parts. First the issue of the domain: in order to substitute a domain name in place of an IP address you need some name server that can map your desired name to an address. This is at the host level and not the port level so a domain name will encompass all ports you might host from it. If you are using your home Internet connection (which I suspect you are since you talk about a blocked port) then you need to take into account that from time to time your public IP address can change. Your options are to pay for (or request) a static IP from your ISP or use a dynamic DNS service that can rapidly update their records as your IP address changes.
As for your port number. Mod_rewrite only handles the path part of a URL, for using different ports internally you want mod_proxy. The Apache web sever with mod_proxy would be configured to listen on the public port you want (that I assume is port 80) then mod_proxy would take incoming requests and send them to another web server on a different port (or even different server). To the outside user this happens invisibly. The problem is if your ISP wont let you host your site on port 80 then it logically won't let you proxy from port 80. To get around this would be a little harder. Personally I would look at a virtualized server from people like Rackspace or Linode. You would get (for relatively little money) a fully configurable server on the open Internet with no restrictions on port usage and a static IP. Even better if you mess something up you can just virtually delete your server and start over with a fresh OS image.
Finally the clean URLs your question title suggests. It's possible this wasn't part of your actual question but just in case, mod_rewrite is a smart module that can let you map clean URLs like /cars/Toyota/1997 and turn them into more ugly requests like /cars.php?make=Toyota&year=1997. Clean URLs not only look better they make it easier to reorganize web code behind the scenes as your web site evolves.
One last thing, and its amazing to me that this question has gone so long without even a comment about this but, this question is really not a good fit for StackOverflow. Possibly ServerFault.com. Good luck! :)
I want to resolve the DNS requests issued from within a Ruby script through a DNS server, different from the ones in resolv.conf. While I could do that manualy by using Resolv::DNS or something like that, I'd like to do that for all the requests (like the ones issued by RestClient, for example). Any ideas?
RestClient uses net/http and uses the host name part of the provided URL to open a TCP socket:
https://github.com/ruby/ruby/blob/trunk/lib/net/http.rb?source=cc#L879
The simplest way to change which host is accessed is to manually change the URL to use an IP address by performing the lookup yourself.
Alternatively, you can replace the resolver of the various *Socket classes, and there is actually an example of how to do this here: https://github.com/ruby/ruby/blob/4c2304f0004e9f1784540f3d36976aad9eab1f68/lib/resolv-replace.rb