CORS/JSONP with WebAPI Security woes
https://stackoverflow.com/questions/12265826
-
30-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm wondering if there's anyone out there with a simplified resolution for my scenario, I'm out of ideas now.
I have a WebAPI service, which I want to be on another domain than my site calling it. This service has been secured, so required Basic Authentication.
I want to call it from jQuery, in which you can't send a "jsonp" request due to you can't set the request header, and I can't use json as I'd have to use CORS in which isn't supported by IE6/7, so that's not viable too.
Are there any other options available to me to get my scenario working?
Solution
If you were to create auth headers in Javascript, that would make your authentication/security moot (client side = credentials visible to any client).
You can also send basic auth credentials in the url (instead of headers): http://user:pass@my_domain.com (not that you should).
You could create/call a server-side "proxy" in the calling app that actually does the http request - you have full control of whatever headers you need.
Since you are implementing Basic Authentication clear text, hopefully you're employing SSL as well. Your credentials aren't visible to the client (the call is server-side).
The call will then be "local" to your Javascript/jQuery.
Issue: it pretty much makes authentication moot (too), unless you filter/validate requests to your proxy.
Hth....
