Go Back   CodingForums.com > :: Client side development > JavaScript programming
Reload this Page What is the best way to secure my ajax requests?

Before you post, read our: Rules & Posting Guidelines

Reply
Page 2 of 2 1 2
 
Thread Tools Rate Thread
Enjoy an ad free experience by logging in. Not a member yet? Register.
Old 03-25-2010, 12:17 PM   PM User | #16
shedokan
Regular Coder

 
Join Date: Oct 2007
Posts: 277
Thanks: 2
Thanked 4 Times in 4 Posts
shedokan has a little shameless behaviour in the past
Quote:
Originally Posted by rnd me View Post
a different website cannot make request to your server using ajax, but a server or remote script request could. you can check the refferer header for a match as well. using post instead of get will cut off all non-user-approved (popup-warning) xdomain client-side IO actions.




a script whose context originates from another site will not have access to your cookies.
Thanks, but what if that script would use a function on my domain, would it count as if it was sent by my domain?
shedokan is offline   Reply With Quote
Old 03-25-2010, 01:26 PM   PM User | #17
MattF
Senior Coder

 
Join Date: Jul 2009
Location: South Yorkshire, England
Posts: 2,322
Thanks: 6
Thanked 304 Times in 303 Posts
MattF will become famous soon enoughMattF will become famous soon enough
Quote:
Originally Posted by rnd me View Post
you can check the refferer header for a match as well.
The referer header can't be relied upon though.
MattF is offline   Reply With Quote
Old 03-25-2010, 01:27 PM   PM User | #18
MattF
Senior Coder

 
Join Date: Jul 2009
Location: South Yorkshire, England
Posts: 2,322
Thanks: 6
Thanked 304 Times in 303 Posts
MattF will become famous soon enoughMattF will become famous soon enough
Quote:
Originally Posted by shedokan View Post
Thanks, but what if that script would use a function on my domain, would it count as if it was sent by my domain?
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Cross-site_request_forgery
MattF is offline   Reply With Quote
Old 03-26-2010, 02:30 PM   PM User | #19
shedokan
Regular Coder

 
Join Date: Oct 2007
Posts: 277
Thanks: 2
Thanked 4 Times in 4 Posts
shedokan has a little shameless behaviour in the past
Oh, so they can't use code outside of their Iframe, thanks.
I think I'll use iframes for some apps and have a way for them to put html content that will be checked for security before I'll let them publish their plugins.

If someone would have said so in the first place I would have been less confused.

Thanks for everyone anyway.
shedokan is offline   Reply With Quote
Reply
Page 2 of 2 1 2

Bookmarks

Tags
ajax, javascript, requests, secure

Jump To Top of Thread


« Previous Thread | Next Thread »
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 02:24 AM.
Advertisement
Log in to turn off these ads.