Sorry - what? Oh - are you asking if I would know to use that vector? If I run your site and see a request made via XHR to foo.cfm, and then I try to run it myself in another tab and get blocked, then yes, I would consider that. And I'm a "Script Kiddy Hacker" so I assume the real guys would try it too.
Shoot - I almost always try the URLs I see in Firebug/Chrome Dev tools. I'm not trying to be malicious of course. Just poking around. On Mon, Aug 16, 2010 at 11:34 AM, Andy Matthews <[email protected]> wrote: > > Yes, but would you know TO do that? > > > andy > > -----Original Message----- > From: Raymond Camden [mailto:[email protected]] > Sent: Monday, August 16, 2010 11:30 AM > To: cf-talk > Subject: Re: Preventing use of remote method by other sites > > > Don't forget you can easily set those headers yourself. I could setup cfhttp > to use that header and hit your resource. > > > On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews <[email protected]> > wrote: >> >> Works perfectly Tony. I simplified the conditional tho' >> >> <cfif StructKeyExists(headers,'X-Requested-With') AND >> headers['X-Requested-With'] EQ 'XMLHttpRequest'> >> >> </cfif> > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336298 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
