-
From: jlm...@gmail.com
Date: Tue, 8 Oct 2013 05:23:05
To: Struts Users Mailing List; Alireza
Fattahi
Reply-To: jlm...@gmail.com
Subject: Re: Prevent Ajax Multi-Request in Struts 2
What are you using on the client for the ajax calls? Dojo? Jquery? They both
generate an http header “x
from T-Mobile
-Original Message-
From: Alireza Fattahi
Date: Mon, 7 Oct 2013 22:01:47
To: Struts Users Mailing List
Reply-To: "Struts Users Mailing List"
Subject: Re: Prevent Ajax Multi-Request in Struts 2
Jose,
I am still in the middel of this problem :(
Can you please let me
September 2013, 16:13
Subject: Re: Prevent Ajax Multi-Request in Struts 2
Hi,
Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would be a normal post against your supposed-ajax URL
Struts 2
To Mitigate add a "nonce" to the form
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Saludos
Martin-
> Date: Thu, 26 Sep 2013 08:43:12 -0400
> Subject: Re: Prevent Ajax Multi-Request in Struts 2
> From: jlm...@gmail.com
> To: user@st
To Mitigate add a "nonce" to the form
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Saludos
Martin-
> Date: Thu, 26 Sep 2013 08:43:12 -0400
> Subject: Re: Prevent Ajax Multi-Request in Struts 2
> From: jlm...@gmail.com
> To: user@struts.apache.o
Alireza, use some sort of pre-authenticated token. Ignore requests that
have a bad token.
On Thu, Sep 26, 2013 at 7:43 AM, JOSE L MARTINEZ-AVIAL wrote:
> Hi,
> Since XHR request can not be cross-domain, you can not get a CSRF through
> XHR( the browser will not allow other page to send a XHR t
Hi,
Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would be a normal post against your supposed-ajax URL. In
order to protect against it, we check for an HTTP header that is sent o
7 matches
Mail list logo
