Prevent intercepting XHR requests in JavaScript

Question

Is there a way to prevent the intercepting of XHR requests from the global scope (like here)?

First, that comes to mind, pass XMLHttpRequest as a parameter to the application entry function (or IIFE) and make requests based on that copy (e.g. JQuery has an option for a custom XHR object). Is it reliable? Or there are other ways to intercept requests without altering XMLHttpRequest?

The concern is to handle a case when after a successful XSS attack, an attacker can intercept requests and steal the JWT from a header.

"[...] after a successful XSS attack" you have bigger problems than whatever you're trying to solve here. It's like... "they might nuke us, so how do we handle the foot soldiers?" — Niet the Dark Absol, Mar 11 '21 at 12:52
You are right, but sometimes you don't have control over everything. — Ievgen Martynov, Mar 11 '21 at 14:06

score 1 · Answer 1 · answered Mar 11 '21 at 13:01

1

make it immutable:

const send = XMLHttpRequest.prototype.send;
delete XMLHttpRequest.prototype.send;
Object.defineProperty(XMLHttpRequest.prototype, 'send', {value: send});

answered Mar 11 '21 at 13:01

n--

3,563
4
9

Thanks! That's looking promising. As an extra step, the XMLHttpRequest itself could be done as read-only. – Ievgen Martynov Mar 11 '21 at 14:14
what if someone managed to mutate it in the runtime prior to execution of this code? – Alex Shchur Jun 04 '23 at 06:41

Prevent intercepting XHR requests in JavaScript

1 Answers1