Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
For GuideStar APIs, it is not possible to prevent the discovery of API authentication details when APIs are accessed from a site other than the original site that serves up the web page or application. If client scripts contain authentication information, then those credentials could be used by other parties to make API calls. These unauthorized API calls would be the responsibility of the user whose key or username/ password pair have been compromised and charges might be assessed to the owner of the key. The diagram below shows the problem:
A mechanism called Cross-Origin Resource Sharing (CORS) gives web servers cross-domain access controls, which enable secure cross-domain data transfers. Modern browsers use CORS in an API container – such as XMLHttpRequest or Fetch - to mitigate risks of cross origin HTTP requests. Although CORS is a standard recommendation by W3C to overcome same origin policy, due to our additional security requirements we require that all API calls be made from the origin server. This way, username/password and/or API keys remain secure on both ends.
The solution for applications that need to access GuideStar APIs from a client application is to create a process on the originating web server that accepts web requests from the client and then makes the call to the GuideStar API. When the data is returned to the originating server, it is then re-routed to the client.
The diagram below illustrates this approach: