Synchronous XMLHttpRequest deprecation?

Question

Synchronous XMLHttpRequest deprecation?

jellisgwn opened this issue 4 years ago · comments

Chrome Version 84.0.4147.135 is reporting:

JavaScriptServlet:99 [Deprecation] Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.

in the hijackStandard() method:

	/** hook using standards based prototype **/
	function hijackStandard() {
		XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
		XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {
			this.url = url;

			this._open.apply(this, arguments); \\ <-- here
		};

		XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
		XMLHttpRequest.prototype.send = function(data) {
			if(this.onsend != null) {
				this.onsend.apply(this, arguments);
			}

			this._send.apply(this, arguments);
		};
	}

Is this something that can be cleaned up?

forgedhallpass · Answer 1 · Thu Aug 20 2020 21:15:50 GMT+0800 (China Standard Time)

I intend to include the fix for this in a larger refactoring that I am doing.

jellisgwn · Answer 2 · Thu Aug 20 2020 21:21:56 GMT+0800 (China Standard Time)

@forgedhallpass thanks for the reply.

Is it correct to assume that simply changing the request to be asynchronous would be a security problem?

forgedhallpass · Answer 3 · Thu Aug 20 2020 21:30:44 GMT+0800 (China Standard Time)

Normally it shouldn't be, but I haven't had the time to test everything out yet. Besides setting the async flag to true, the responses must be handled in callbacks.

forgedhallpass · Answer 4 · Fri Oct 09 2020 00:11:46 GMT+0800 (China Standard Time)

There is a race condition while requesting the page tokens asynchronously if some of the protected pages are referenced from IFRAMEs or IMG tags, that results in false-positive attack attempts.

forgedhallpass · Answer 5 · Sat Feb 13 2021 21:37:26 GMT+0800 (China Standard Time)

Related to #51

forgedhallpass · Answer 6 · Fri Feb 19 2021 16:41:07 GMT+0800 (China Standard Time)

Because of the above mentioned race condition, the async flag was made configurable in the new code-base. The test application was also updated with a new page dedicated to this special scenario.

The current approach of the OWASP CSRFGuard relies on JavaScript logic for injecting CSRF tokens into HTML elements or XHR requests. Forcing synchronous loading of the AJAX requests has been disabled, since they were deprecated due to their negative impact on the user experience. For this reason, protecting resources that would load before or in parallel with the JavaScript logic (e.g. references IFrames or IMG tags) is not possible.
In most cases this should not be a problem, because usually GET requests should not facilitate state-changing operations. If this last condition cannot be fulfilled (e.g. for legacy applications), backwards compatibility can be achieved by enabling the "forceSynchronousAjax" property within the configurations, until there is browser support for it.

You can find the new release candidate under releases under the official repository.