On 18/07/10 10:03, Florian Apolloner wrote: > On Jul 17, 11:29 am, Gregor Müllegger <gre...@muellegger.de> wrote: >> I think Florian meant that its not possible to change HTTP headers by >> Javascript XSS attacks (or am I wrong here as well?). > Exactly.
I think you're thinking of CSRF, javascripted client-side parts of XSS attacks run in the script context of the page they're injected into whatever that may be and could AFAIUI toggle the real header, insert the hidden field, grab cookies and whatnot. Re CSRF: That's why I wasn't suggesting making is_ajax() return true for the pseudo-header, as you wouldn't want is_framejax() to trigger bypass of the csrf countermeasure middleware - in fact you might want to require it, raising an exception if it's called before request.csrf_processing_done or something. Actually, now that csrf_token is more controllably exposed, how does one _not_ exempt is_ajax() requests from the csrf countermeasure check? (never mind, rhetorical, "make copypasta csrf middleware that doesn't bypass" is probably adequate...) Anyway, probably too specialised to worry about, and a custom middleware can, as pointed out, handle it if necessary. Roll on HTML5... -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
