I've been able to block it partially.
In my Ajax controller:
def __before__(self):
if request.headers.get('X-Requested-With') !=
"XMLHttpRequest":
redirect_to(...)
I know that "X-Requested-With" can be added manually to the header but
this is better than nothing.
Przemek
On Oct 20, 4:55 pm, aaditya sood <[EMAIL PROTECTED]> wrote:
> Hi,
>
> If you're really worried about this, one slight modification is to
> generate a signature for your page (with some expiration time built
> in) and use that to make the call. Your controller can check whether
> the call is indeed coming from your page API.
>
> It is trivial to disassemble this logic, but it does provide a higher
> barrier to entry. It is also useful to preventing XSS attacks.
>
> regards
> --
> /A
>
> On 20-Oct-08, at 7:46 PM, jerry wrote:
>
>
>
> > With your current design, you can't.
>
> > For my site, I do not have separate controllers/routes for AJAX,
> > instead, different values are returned from a generic controller
> > according to request type --
>
> > class ElementController(BaseController):
> > def get(self, id):
> > populate_c(id)
> > if request.is_xhr:
> > return render('ajax_fragment_template')
> > return render('full_page_template')
>
> > Jerry
>
> > On Oct 15, 10:26 am, "przemek.ch" <[EMAIL PROTECTED]> wrote:
> >> Hi,
>
> >> I've build two select boxes. Onchange method on the first selectbox I
> >> fill with ajax the second one using the selected value as a
> >> parameter.
> >> It works.
>
> >> function loadElements(groupID){
> >> $("#secondSelectDiv").load("$
> >> {h.url_for(controller='ajax',
> >> action='getElements', id='')}"+groupID);
>
> >> }
>
> >> The problem is that an url is generated to my method.
> >> for examplehttp://localhost:5000/ajax/getElements/1
> >> And it can be called directly from the browser.
>
> >> How can I hide or block that.
>
> >> If I'll use from pylons.decorators.rest @restrict('POST') on the
> >> method then it will also be blocked for the jquery load method.
>
> >> Any ideas?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
