> Is there any standard way to ensure that data received on an AJAX > post page does, in fact, come to that page via an AJAX request?
No. Any HTTP request can be replayed outside the recorded context. It's not just XHR vs. primary browser URL. You've got cURL, Fiddler or anything else that speaks HTTP. For example, well-behaved browsers don't send X-Requested-With unless they really use XHR. But that says nothing about other HTTP clients. Concepts like POST-Once-Exactly can discourage the verbatim reuse of a request, and can make guessing a new valid request difficult. But that does nothing to stop the initial, valid request from being re/crafted before it's first submitted. -- Sandy
