Don't forget you can easily set those headers yourself. I could setup cfhttp to use that header and hit your resource.
On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews <[email protected]> wrote: > > Works perfectly Tony. I simplified the conditional tho' > > <cfif StructKeyExists(headers,'X-Requested-With') AND > headers['X-Requested-With'] EQ 'XMLHttpRequest'> > > </cfif> > > > -----Original Message----- > From: Tony Bentley [mailto:[email protected]] > Sent: Friday, August 13, 2010 2:55 PM > To: cf-talk > Subject: Re: Preventing use of remote method by other sites > > > I use a cfc that checks to see if the method being called is from within the > domain, is indeed ajax and that the method is indeed is accessed remotely, > otherwise abort the request. If you are doing cross site requests, pass a > unique key in your form. > > Is it ajax? > > <cffunction name="isAjax" access="private" returntype="boolean" > output="false"> > <!--- > all of the user management requests are going to come via ajax > within the domain. > if a request is not from this site and not ajax, abort the request > run this check on any of the remote methods > ---> > <cfscript> > requestHeaders = getHTTPRequestData().headers; > if(not StructKeyExists(requestHeaders, "X-Requested-With")){ > return false; > } > else if(StructFind(requestHeaders,"X-Requested-With") neq > "XMLHttpRequest"){ > return false; > } > else{ > return true; > } > </cfscript> > </cffunction> > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336296 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
