W liście Vladimir Dronnikov z dnia poniedziałek 01 lutego 2010: > > Security risk. > > For is_xhr requests you can disable CSRF checks, as there is no known way > > of sending a cross-site forged request with this header set. But it's > > trivial to spoof one more field. > > Is there a way to fix the issue? I can't believe it's _intended_ that > one can't upload files via XMLHTTPRequest.
Use latest browsers only: http://hacks.mozilla.org/2009/12/uploading-files- with-xmlhttprequest/ So, for 99% of us - no, there is no way (not with XMLHTTPRequest - you can use eg. flash, or iframes, as you are doing now). Alas, if you do perform CSRF checks anyway, you can still use hidden field method, as you suggested. -- Paweł Stradomski -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
