Fattahi
afatt...@yahoo.com
Sent: Thursday, 26 September 2013, 16:13
Subject: Re: Prevent Ajax Multi-Request in Struts 2
Hi,
Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would
from T-Mobile
-Original Message-
From: Alireza Fattahi afatt...@yahoo.com
Date: Mon, 7 Oct 2013 22:01:47
To: Struts Users Mailing Listuser@struts.apache.org
Reply-To: Struts Users Mailing List user@struts.apache.org
Subject: Re: Prevent Ajax Multi-Request in Struts 2
Jose,
I am still
-
From: jlm...@gmail.com
Date: Tue, 8 Oct 2013 05:23:05
To: Struts Users Mailing Listuser@struts.apache.org; Alireza
Fattahiafatt...@yahoo.com
Reply-To: jlm...@gmail.com
Subject: Re: Prevent Ajax Multi-Request in Struts 2
What are you using on the client for the ajax calls? Dojo? Jquery
: RE: Prevent Ajax Multi-Request in Struts 2
To Mitigate add a nonce to the form
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Saludos
Martin-
Date: Thu, 26 Sep 2013 08:43:12 -0400
Subject: Re: Prevent Ajax Multi-Request in Struts 2
From: jlm...@gmail.com
To: user
Hi,
Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would be a normal post against your supposed-ajax URL. In
order to protect against it, we check for an HTTP header that is sent
Alireza, use some sort of pre-authenticated token. Ignore requests that
have a bad token.
On Thu, Sep 26, 2013 at 7:43 AM, JOSE L MARTINEZ-AVIAL jlm...@gmail.comwrote:
Hi,
Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page
To Mitigate add a nonce to the form
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Saludos
Martin-
Date: Thu, 26 Sep 2013 08:43:12 -0400
Subject: Re: Prevent Ajax Multi-Request in Struts 2
From: jlm...@gmail.com
To: user@struts.apache.org; afatt...@yahoo.com
Hi
Hi,
We want to avoid multi-request sent via Ajax in struts 2 web based application.
The `s:token` can be used in regular request-response jsp pages, but it will
not work for ajax requests. The problem is the returned respond, which does not
populate new value for struts token.
I found this
8 matches
Mail list logo