I was trying to hit a web service on a different domain using jQuery’s ajax method. After doing some research it looks like it does not allow this is by design to prevent cross site scripting.
I came across a work around which was to include this line:
$.support.cors = true;
at the top of my javascript code. From what I understand this enables cross site scripting in jQuery.
Does having this line of code make my site more vulnerable to attack? I’ve always heard XSS discussed as a security issue, are there legitimate uses for XSS?
XSS is not a feature that can be enabled in jQuery. It would be very very unusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS.
“Cross-Origin Resource Sharing” or CORS isn’t the same as XSS, BUT, but if a web application had an XSS vulnerability, then an attacker would have CORS-like access to all resources on that domain. In short, CORS gives you control over how you break the same origin policy such that you don’t need to introduce a full on XSS vulnerability.
The
$.support.corsquery feature relies upon theAccess-Control-Allow-OriginHTTP response header. This could be a vulnerability. For example, if a web application hadAccess-Control-Allow-Origin: *on every page, then an attacker would have the same level of access as an XSS vulenrablity. Be careful what pages you introduce CORS headers, and try and avoid*as much as possible.So to answer your question: NO a web application never needs to introduce an XSS vulnerability because there are way around the SOP such as CORS/jsonp/cross domain proxies/access-control-origin.