Well if you need to secure it, as mentioned you have the domain security aspect of the call....and as your domain will be the only thing posting to it then it should be secure in that regard, but it does not stop normal http requests to the page. You could then check to ensure that the referrer domain is your actual domain and that will stop someone else making a request to any of your pages within your application. The thing to remember is that ajax happens in javascript which can be accessed and read so any potential hacker can just read your js file and see what security measures you have put in place so in my opinion any security you do put in place should not be happening there, it should be happening server side out of reach of spying eyes.
-----Original Message----- From: hairbo [mailto:[email protected]] Sent: Tuesday, 5 October 2010 1:15 AM To: MooTools Users Subject: [Moo] Re: Sort of a general AJAX security question Thanks to all who replied. @Ryan, I'm 99% sure you can make an AJAX request with GET params, so the contents of the querystring would matter, potentially. @Arieh, I don't have the notion that AJAX is inherently more secure. Mostly, I just need to make sure that data posted directly to an AJAX page outside the context of an AJAX request won't "break the world". So the general question is whether there was some industry standard for ensuring requests to an AJAX post page really do come from an AJAX caller. If the answer is "no", that's fine. I'll deal with my issues in other ways. Thanks again. On Oct 2, 2:11 am, אריה גלזר <[email protected]> wrote: > I don't see the problem. The problem might be the notion that AJAX is more > secure. AJAX is no different than a regular POST, other than the same-domain > policy (which - I agree, is a tidy bit more secure, but only that much, > since, as you demonstrated, it's easy to override it). > You should consider you AJAX pages as a secondary API to your page. Assume a > dedicated user will have no problem figuring out you mechanism (it is in the > code after all). > Secure your AJAX pages the same way you would any other page - I really > can't see how this is different than any other page security - escape you > input, try to identify brute-forces etc. > > > > > > On Sat, Oct 2, 2010 at 12:58 AM, hairbo <[email protected]> wrote: > > I'm not 100% sure how to phrase this, so apologies if this post gets > > wordy or confusing... > > > Is there any standard way to ensure that data received on an AJAX post > > page does, in fact, come to that page via an AJAX request? I could > > imagine somebody coming to a site that handles login via AJAX, popping > > open Firebug, figuring out what the AJAX post page is for the login > > request, and then navigating directly to that page in a browser, > > throwing params in the URL, just to see what might happen. > > > Without being able to articulate exactly why, I'd say this sounds like > > a "bad" thing. Is there any sort of a token one passes from an AJAX > > post in JS back to the server for authentication? > > > Does my question even make sense? > > > Thanks in advance. > > -- > Arieh Glazer > אריה גלזר > 052-5348-561 > 5561 ======= Email scanned by PC Tools - No viruses or spyware found. (Email Guard: 7.0.0.21, Virus/Spyware Database: 6.16000) http://www.pctools.com/ ======= ======= Email scanned by PC Tools - No viruses or spyware found. (Email Guard: 7.0.0.21, Virus/Spyware Database: 6.16000) http://www.pctools.com/ =======
