Hi, On Jul 16, 7:25 pm, David De La Harpe Golden <david.delaharpe.gol...@ichec.ie> wrote: > People doing ajax have probably hit the "XMLHttpRequest doesn't do file > uploads (at least not non-browser-specifically), use a hidden iframe > kludge or flash" issue. Anyway, maybe that will change one day
It's already changing, modern browsers can do what you want (google for html5 file uploads). I don't see any reason to support something like you suggest; we should support standards and not workarounds (just my opinion). Imo the best way currently is to use the new apis and fallback to flash or whatever if needed (I actually guess flash is the best fallback here). > The hidden-iframe requests will AFAIK show up with request.is_ajax() == > False to django. So a "done thing" (I think) to distinguish between the > non-ajax and hidden-iframe requests seems to be to just have an extra > field to act as a pseudo-header, i.e. > > <input type="hidden" name="X-Requested-With" value="ScriptedIFrame"> This input field is easily fakeable. An attacker can't fake your browsers XHR requests, which makes request.is_ajax somewhat secure and trustable. I don't see how your solution could achieve that. > or "?X-Requested-With=ScriptedIFrame" Same as above. > It might nonetheless be nice for django to have some support for > checking for some particular pseudo-header. -1, mostly due to the fact that it's something most people won't need and you can easily inject that info using a middleware yourself. Hence I am for solution A. Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.