Ajax - Do browsers allow cross-domain requests to be quotsentquot

I am newbie to website security and currently trying to understand Same-Origin-Policy in some depth. While there are very good posts on stackoverflow and elsewhere about the concept of SOP, I could not find updated information on whether chrome and other browsers allow cross-domain XHR post requests to be sent from the first place.

http://stackoverflow.com/questions/5938842/cross-domain-ajax-post-in-chrome http://stackoverflow.com/questions/5938842/cross-domain-ajax-post-in-chrome

I tested that on my website trying to change user info on my server from a different domain. Details below:

• My domain: "www.mysite.com"
• Attacker domain: "www.attacker.mysite.com"
According to Same-Origin-Policy those two are considered different Origins.
• User (while logged in to www.mysite.com) opens www.attacker.mysite.com and presses a button that fires a POST request to www.mysite.com server...The submitted hidden form (without tokens in this case) has all the required information to change the user s info on www.mysite.com server --> Result: CSRF successful attack: The user info does indeed change.
• Now do the same but with javascript submitting the form through JQuery .post instead of submitting the form--> Result: Besides chrome giving the normal response:

No Access-Control-Allow-Origin header is present on the requested resource

, I found that no change is done on the server side...It seems that the request does not even pass through from the browser. The user info does not change at all! While that sounds good, I was expecting the opposite.

According to my understanding and the post linked above, for cross-domain requests, only the server response should be blocked by the browser not sending the post request to the server from the first place. Also, I do not have any CORS configuration set; no Access-Control-Allow-Origin headers are sent. But even if I had that set, that should apply only on reading the server response not actually sending the request...right?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

So is it that chrome has changed its security specs to prevent the post request to a cross domain from the first place? or am I missing something here in my understanding to the same-origin-policy?

Either way, it would be helpful to know if there is a source for updated security measures implemented in different web browsers.

The XMLHttpRequest object behavior has been revisited with time.

The first AJAX request were unconstrained.
When SOP was introduced the XMLHttpRequest was updated to restrict every cross-origin request

*If the origin of url is not same origin with the XMLHttpRequest origin the user agent should raise a SECURITY_ERR exception and terminate these steps.

https://www.w3.org/TR/2009/WD-XMLHttpRequest-20091119/#the-open-method https://www.w3.org/TR/2009/WD-XMLHttpRequest-20091119/#the-open-method

The idea was that an AJAX request that couldn t read the response was useless and probably malicious, so they were forbidden.
So in general a cross-origin AJAX call would never make it to the server. This API is now called XMLHttpRequest Level 1 .

It turned out that SOP was in general too strict, before CORS was developed, Microsoft started to supply (and tried to standardize) a new XMLHttpRequest2 API that would allow only some specific requests, stripped by any cookie and most headers.

The standardization failed and was merged back into the XMLHttpRequest API after the advent of CORS. The behavior of Microsoft API was mostly retained but more complex (read: potentially dangerous) requests were allowed upon specific allowance from the server (through the use of pre-flights).

https://www.w3.org/TR/cors/#simple-method https://www.w3.org/TR/cors/#simple-method

Pre-flights are done with the OPTIONS method and doesn t contain any form information, as such no updates on the server are done.
When the pre-flight fails, the user-agent (the browser) terminate the AJAX request, preserving the XMLHttpRequest Level 1 behavior.

So in short: For XMLHttpRequest the SOP was stronger, deny any cross-origin operations despite the goals stated by the SOP principles. This was possible because at the time that didn t break anything.
CORS loosened the policy allowing "non harmful" requests by default and allowing the negotiation of the others.