Ofc you can use get with ajax, but you said "an ajax post" in your original email, that's all. Again, ajax security requires the same precautions as normal page loads
Sent from my iPhone On Oct 4, 2010, at 8:15 AM, hairbo <[email protected]> wrote: > Thanks to all who replied. @Ryan, I'm 99% sure you can make an AJAX > request with GET params, so the contents of the querystring would > matter, potentially. @Arieh, I don't have the notion that AJAX is > inherently more secure. Mostly, I just need to make sure that data > posted directly to an AJAX page outside the context of an AJAX request > won't "break the world". So the general question is whether there was > some industry standard for ensuring requests to an AJAX post page > really do come from an AJAX caller. If the answer is "no", that's > fine. I'll deal with my issues in other ways. > > Thanks again. > > On Oct 2, 2:11 am, אריה גלזר <[email protected]> wrote: >> I don't see the problem. The problem might be the notion that AJAX is more >> secure. AJAX is no different than a regular POST, other than the same-domain >> policy (which - I agree, is a tidy bit more secure, but only that much, >> since, as you demonstrated, it's easy to override it). >> You should consider you AJAX pages as a secondary API to your page. Assume a >> dedicated user will have no problem figuring out you mechanism (it is in the >> code after all). >> Secure your AJAX pages the same way you would any other page - I really >> can't see how this is different than any other page security - escape you >> input, try to identify brute-forces etc. >> >> >> >> >> >> On Sat, Oct 2, 2010 at 12:58 AM, hairbo <[email protected]> wrote: >>> I'm not 100% sure how to phrase this, so apologies if this post gets >>> wordy or confusing... >> >>> Is there any standard way to ensure that data received on an AJAX post >>> page does, in fact, come to that page via an AJAX request? I could >>> imagine somebody coming to a site that handles login via AJAX, popping >>> open Firebug, figuring out what the AJAX post page is for the login >>> request, and then navigating directly to that page in a browser, >>> throwing params in the URL, just to see what might happen. >> >>> Without being able to articulate exactly why, I'd say this sounds like >>> a "bad" thing. Is there any sort of a token one passes from an AJAX >>> post in JS back to the server for authentication? >> >>> Does my question even make sense? >> >>> Thanks in advance. >> >> -- >> Arieh Glazer >> אריה גלזר >> 052-5348-561 >> 5561
