@Ryan. Yeah, sorry...sloppy use of language.
On Oct 4, 10:20 am, Ryan Florence <[email protected]> wrote: > Ofc you can use get with ajax, but you said "an ajax post" in your original > email, that's all. Again, ajax security requires the same precautions as > normal page loads > > Sent from my iPhone > > On Oct 4, 2010, at 8:15 AM, hairbo <[email protected]> wrote: > > > > > Thanks to all who replied. �...@ryan, I'm 99% sure you can make an AJAX > > request with GET params, so the contents of the querystring would > > matter, potentially. �...@arieh, I don't have the notion that AJAX is > > inherently more secure. Mostly, I just need to make sure that data > > posted directly to an AJAX page outside the context of an AJAX request > > won't "break the world". So the general question is whether there was > > some industry standard for ensuring requests to an AJAX post page > > really do come from an AJAX caller. If the answer is "no", that's > > fine. I'll deal with my issues in other ways. > > > Thanks again. > > > On Oct 2, 2:11 am, אריה גלזר <[email protected]> wrote: > >> I don't see the problem. The problem might be the notion that AJAX is more > >> secure. AJAX is no different than a regular POST, other than the > >> same-domain > >> policy (which - I agree, is a tidy bit more secure, but only that much, > >> since, as you demonstrated, it's easy to override it). > >> You should consider you AJAX pages as a secondary API to your page. Assume > >> a > >> dedicated user will have no problem figuring out you mechanism (it is in > >> the > >> code after all). > >> Secure your AJAX pages the same way you would any other page - I really > >> can't see how this is different than any other page security - escape you > >> input, try to identify brute-forces etc. > > >> On Sat, Oct 2, 2010 at 12:58 AM, hairbo <[email protected]> wrote: > >>> I'm not 100% sure how to phrase this, so apologies if this post gets > >>> wordy or confusing... > > >>> Is there any standard way to ensure that data received on an AJAX post > >>> page does, in fact, come to that page via an AJAX request? I could > >>> imagine somebody coming to a site that handles login via AJAX, popping > >>> open Firebug, figuring out what the AJAX post page is for the login > >>> request, and then navigating directly to that page in a browser, > >>> throwing params in the URL, just to see what might happen. > > >>> Without being able to articulate exactly why, I'd say this sounds like > >>> a "bad" thing. Is there any sort of a token one passes from an AJAX > >>> post in JS back to the server for authentication? > > >>> Does my question even make sense? > > >>> Thanks in advance. > > >> -- > >> Arieh Glazer > >> אריה גלזר > >> 052-5348-561 > >> 5561
