Okay. Phew. This is a single CFC available on our site.
andy -----Original Message----- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 4:17 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Yes you are right. I just wasn't sure if you were building an API or something that would require public access. On Fri, Aug 13, 2010 at 1:48 PM, Andy Matthews <li...@commadelimited.com>wrote: > > But crossdomain policies would prevent it from being accessed via AJAX > right? > > > > andy > > -----Original Message----- > From: Tony Bentley [mailto:cascadefreehee...@gmail.com] > Sent: Friday, August 13, 2010 3:33 PM > To: cf-talk > Subject: Re: Preventing use of remote method by other sites > > > Any time! > > Keep in mind that anyone can call your method with Ajax so you still > need to verify the request (localhost or otherwise) > > On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews > <li...@commadelimited.com>wrote: > > > > > Oooh. That's a good idea. Since we're using it for AJAX, then make > > it so that it can ONLY be used as AJAX, which would prevent other > > sites from using it because of the cross site scripting. > > > > Great idea Tony, thanks! > > > > -----Original Message----- > > From: Tony Bentley [mailto:cascadefreehee...@gmail.com] > > Sent: Friday, August 13, 2010 2:55 PM > > To: cf-talk > > Subject: Re: Preventing use of remote method by other sites > > > > > > I use a cfc that checks to see if the method being called is from > > within the domain, is indeed ajax and that the method is indeed is > > accessed remotely, otherwise abort the request. If you are doing > > cross site requests, pass a unique key in your form. > > > > Is it ajax? > > > > <cffunction name="isAjax" access="private" returntype="boolean" > > output="false"> > > <!--- > > all of the user management requests are going to come via > > ajax within the domain. > > if a request is not from this site and not ajax, abort the request > > run this check on any of the remote methods > > ---> > > <cfscript> > > requestHeaders = getHTTPRequestData().headers; > > if(not StructKeyExists(requestHeaders, "X-Requested-With")){ > > return false; > > } > > else if(StructFind(requestHeaders,"X-Requested-With") neq > > "XMLHttpRequest"){ > > return false; > > } > > else{ > > return true; > > } > > </cfscript> > > </cffunction> > > > > > > Called on init: > > > > <cfparam name="url.method" default=""> > > <cfscript> > > accessRemote = false; > > cfcname = getmetadata(this); > > for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ > > fname = cfcname.FUNCTIONS[i]; > > if(fname.name eq url.method && fname.access eq "remote"){ > > accessRemote = true; > > break; > > } > > } > > if(not isAjax() and not accessRemote){ > > abort();//this is a simple cfabort function for MX > > } > > </cfscript> > > > > > > > > On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews > > <li...@commadelimited.com>wrote: > > > > > > > > I have a method that I'm exposing remotely. We'll be using AJAX > > > calls to insert usability stats about a new application. I'm > > > working through the code when I realize that since it's remote > > > access, anyone from any site could post to it and skew our results. > > > > > > I'm wondering what's the best way to prevent access to this URL > > > from any other site, or code. My first thought was to compare the > > > current URL, dev1 for example, to the URL the request was made > > > from, or perhaps the IP address. But I'm not sure how to get that information. > > > > > > Anyone have ideas? > > > > > > > > > > > > andy matthews > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336280 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
