I remember reading somewhere that JavaScript can only contact back to the server that It was loaded from...
As far as reverse engineering your ajax calls... sure... but how is it different from reverse engineering html and changing hidden fields, etc... As long as you're doing proper authentication when you process the call, and validating the data (not letting javascript do it for you), you shouldn't have any security problems. Russ -----Original Message----- From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 03, 2006 1:58 PM To: CF-Talk Subject: AJAX and security It has just hit me that AJAX may not be all that safe. One could derive all that is being passed in an AJAX request by using view souirce and nabbing any included JS files. Once you had that info you could then figure out what's being sent in the request (i.e. variable names etc.). So in the case of an AJAX call that perhaps sends form contents to be inserted into the DB....what's to stop someone from reverse engineering your AJAX call and start inserting their own data?? I'm not readily seeing in the AJAX code where the domain is specified (my guess is programatically) as there is no domain setting....just which CFC/CFM file to call. I'm still working out the kinks....I love the possibilities of CFAJAX.....but this security issue (if it really is one) has me a bit spooked ;-) TIA Cheers Bryan Stevenson B.Comm. VP & Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:228278 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
