Very interesting, let me check.. Yes, indeed. Wonder how I can leverage that. If it was serialized or hashed with some server specific secret key, that might be enough to sandbox this!
I will have to explore that. Thanks John. -- On Aug 9, 11:05 am, "John Resig" <[EMAIL PROTECTED]> wrote: > jQuery sends along an extra header: > X-Requested-With: > that you can use to determine that the resource was requested with an > Ajax request. Hope that helps! > > --John > > On 8/9/07, Pops <[EMAIL PROTECTED]> wrote: > > > > > I have a generic security question related to AJAX: > > > Are there any established technique, method or recommendation on how a > > server can distinquish a AJAX call versus a LINK call vs a manual > > ADDRESS BAR call? > > > Is the Http request header Referrer, one method to consider? > > > Now that we are doing more AJAX calls, we see that we need to make > > sure we have control over how unrestricted AJAX calls are done. I > > think we already concluded that we will restrict any AJAX calll to our > > web services to a POST only. Not the best solution to address > > injection vulnerabilities, but it might limit the population of would > > be wannabe hackers. > > > Comments?
