subject:"request.is_ajax\(\) and hidden iframe kludge => request.is

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

2010-07-19 Thread David De La Harpe Golden

On 18/07/10 10:03, Florian Apolloner wrote: > On Jul 17, 11:29 am, Gregor Müllegger wrote: >> I think Florian meant that its not possible to change HTTP headers by >> Javascript XSS attacks (or am I wrong here as well?). > Exactly. I think you're thinking of CSRF,

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

2010-07-18 Thread Florian Apolloner

On Jul 17, 11:29 am, Gregor Müllegger wrote: > I think Florian meant that its not possible to change HTTP headers by > Javascript XSS attacks (or am I wrong here as well?). Exactly. -- You received this message because you are subscribed to the Google Groups "Django

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

2010-07-17 Thread Gregor Müllegger

I think Florian meant that its not possible to change HTTP headers by Javascript XSS attacks (or am I wrong here as well?). Athor attacks that doesn't use a browser as their client can ofcourse manipulate what is_ajax() returns. To the actual proposal: I have the same opinion here as Florian.

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

2010-07-16 Thread David

> This input field is easily fakeable. An attacker can't fake your > browsers XHR requests, which makes request.is_ajax somewhat secure and > trustable. I don't see how your solution could achieve that. is_ajax() simply checks an HTTP header. It is easily set by an attacker. On Jul 16, 2:30 pm,

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

2010-07-16 Thread Florian Apolloner

Hi, On Jul 16, 7:25 pm, David De La Harpe Golden wrote: > People doing ajax have probably hit the "XMLHttpRequest doesn't do file > uploads (at least not non-browser-specifically), use a hidden iframe > kludge or flash" issue. Anyway, maybe that will change one

request.is_ajax() and hidden iframe kludge => request.is_framejax()?

2010-07-16 Thread David De La Harpe Golden

People doing ajax have probably hit the "XMLHttpRequest doesn't do file uploads (at least not non-browser-specifically), use a hidden iframe kludge or flash" issue. Anyway, maybe that will change one day, but right now: Things that try to handle file uploads via hidden iframes, like the

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

request.is_ajax() and hidden iframe kludge => request.is_framejax()?

6 matches

Site Navigation

Mail list logo

Footer information