SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Zealot
    Join Date
    Jan 2004
    Location
    Manchester
    Posts
    132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Disabling remote calls to my Ajax jQuery script

    Hi,

    I'm actually not sure if this isn't possible to begin with, but thought I should ask as it's better safe than sorry.

    On a number of my pages, I use jQuery.ajax() using the json data type. For example:

    PHP Code:
    $("#button").click(function() {
       
            var 
    data = {
               
    // fill data fields in here
            
    };        
            $.
    ajax({
                
    type'post',
                
    url'/ajax/public/basket',
                
    dataType'json',
                
    datadata,
                
    error: function( response error ){},
                
    success: function( response ){ 
                    
    // put code here     
                
    }                       
            });                    
            return 
    false;      

        }); 
    Would it be possible for people to execute this script from their own server? If yes, is there any preventative measures I can take to block any remote execution of the script? And, are there any other safety concerns I need to be aware of?

    Many thanks.

  2. #2
    SitePoint Guru whisher's Avatar
    Join Date
    May 2006
    Location
    Kakiland
    Posts
    732
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,
    Yes it is.
    It's called CSRF attack.
    Take a look to Chris Shiflett ▪ Cross-Site Request Forgeries
    you can also check server side if it's a xhr request.

    Bye

  3. #3
    SitePoint Zealot
    Join Date
    Jan 2004
    Location
    Manchester
    Posts
    132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Correct me if I'm wrong (and I probably am here!), but wouldn't it be a XHR request regardless of whether or not the file that triggered the ajax call was located on my server or remotely?

  4. #4
    SitePoint Guru whisher's Avatar
    Join Date
    May 2006
    Location
    Kakiland
    Posts
    732
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I can do a request to your action /ajax/public/basket
    simply put that action in a form or by curl.
    But if you have in server side code a thing like
    this
    Code PHP:
    if( $request->isPost() && $request->isXmlHttpRequest()){
       // check the token
       //your code here and you must validate the data
    }
    that's can help


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •