Cross site scripting...

[LeeBergstrand]

Hello, a couple of days ago I was considering building a library like this (client-side javascript) and incorporating it into a bioinformatics web application. However, I ran into some issues during the design phase when I realized that using XMLHTTPRequest() would supposedly not work do to the browser blocking cross domain XMLHTTPRequest() for security reasons.

NCBI doesn't support anything like JSONP or CORS so some people set up an AJAX endpoint (with caching) called EntrezAJAX (essentially a proxy).

Did you happen to take into account cross domain scripting issues and find away around them?

[keithwhor]

When I implemented this API a few weeks ago, NCBI did not have a same-origin policy on their Entrez API.

Whether it was an error on their part or not, it seems a bit ridiculous to me that they'd implement it to begin with. Their usage guidelines do not conflict with the nature of AJAX requests.

I'll send an e-mail to somebody tonight and let you know what's going on if I manage to hear back.

Cheers,

• Keith

On Jun 19, 2014, at 3:09 PM, Lee Bergstrand [email protected] wrote:

Hello, a couple of days ago I was considering building a library like this (client-side javascript) and incorporating it into a bioinformatics web application. However, I ran into some issues during the design phase when I realized that using XMLHTTPRequest() would supposedly not work do to the browser blocking cross domain XMLHTTPRequest() for security reasons.

NCBI doesn't support anything like JSONP or CORS so some people set up an AJAX endpoint (with caching) called EntrezAJAX (essentially a proxy).

Did you happen to take into account cross domain scripting issues and find away around them?

— Reply to this email directly or view it on GitHub.

[LeeBergstrand]

I thought it would be the other way around. The browser would block you not NCBI.

Quote from Same-origin policy on wikipedia:

In computing, the same-origin policy is an important concept in the web application security model. The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number[1] – to access each other's DOM with no specific restrictions, but prevents access to DOM on different sites.[1] The same-origin policy also applies to XMLHttpRequest and to WebSocket.

This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on the client side to prevent the loss of data confidentiality or integrity.

Have you tried loading NCBIConnect.js from an active web domain and then try to connect to NCBI (A different domain)? Also did you allow cross site scripting in your browser? The default behaviour is to have cross site scripting turned off for security.

[LeeBergstrand]

In essence you can do an AJAX request to a website that is hosting your web app. But you can't do an AJAX request to a website on an entirely different domain than the domain that is hosting your web app.

[keithwhor]

Ah. You are correct. It's client-side. http://www.html5rocks.com/en/tutorials/security/content-security-policy/ . You can run queries from a new browser window's console (no problem) or set up your own server that has the correct CSP header when it delivers pages. I believe running an HTML page alone (from your filebrowser) should work just fine.

I can consider writing a node project bundled here that will run a simple webserver with the appropriate headers, if that would be helpful?

[bwlang]

I had a conversation with Mark Johnson at NCBI about enabling CORS on http://eutils.ncbi.nlm.nih.gov... they enabled it back then (December 2009) and I use it to pull paper meta data.

I'm not sure it still works, but this used to...

jQuery.ajax({
               type: "GET",
               url: pubmed_fetch_url,
               success: function(data,textStatus){update_ref_details(data,textStatus,overwrite); $("p.error_message").text("");},
               error: function(xhr,status){$("p.error_message").text("Failed to pull details from Pubmed: " + status);},
               complete: function(xhr,status){
                   $("#reference_details_loading").remove();
               },
               dataType: "xml",
               timeout: 20*1000
           });

[LeeBergstrand]

Found this Github page that list Bioinformatics services that support CORS. May be of some use.

http://lindenb.github.io/pages/cors/index.html

[doomedramen]

I have had no problems with querying e-utils from a javascript client for the last 2 years but suddenly am getting blocked:

Access to XMLHttpRequest at 'https://eutils.ncbi.nlm.nih.gov/entrez/eutils/espell.fcgi?term=arabadop' from origin 'http://proteomics.tsl.ac.uk' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

[maxkrieger]

For anyone else running into this, enabling mode: 'cors' worked for me:

await fetch(
    `https://eutils.ncbi.nlm.nih.gov/entrez/eutils/esummary.fcgi?db=pubmed&id=22368089&retmode=json`,
    { mode: "cors" }
  );

https://codesandbox.io/s/flamboyant-tdd-bhnr1?file=/src/index.ts