Right. I know that. Good point though. I suppose I could get our JS guy to also pass in a session id. Then I could compare that with the actual session ID for the user and go from there.
-----Original Message----- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:42 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Sorry - what? Oh - are you asking if I would know to use that vector? If I run your site and see a request made via XHR to foo.cfm, and then I try to run it myself in another tab and get blocked, then yes, I would consider that. And I'm a "Script Kiddy Hacker" so I assume the real guys would try it too. Shoot - I almost always try the URLs I see in Firebug/Chrome Dev tools. I'm not trying to be malicious of course. Just poking around. On Mon, Aug 16, 2010 at 11:34 AM, Andy Matthews <li...@commadelimited.com> wrote: > > Yes, but would you know TO do that? > > > andy > > -----Original Message----- > From: Raymond Camden [mailto:rcam...@gmail.com] > Sent: Monday, August 16, 2010 11:30 AM > To: cf-talk > Subject: Re: Preventing use of remote method by other sites > > > Don't forget you can easily set those headers yourself. I could setup > cfhttp to use that header and hit your resource. > > > On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews > <li...@commadelimited.com> > wrote: >> >> Works perfectly Tony. I simplified the conditional tho' >> >> <cfif StructKeyExists(headers,'X-Requested-With') AND >> headers['X-Requested-With'] EQ 'XMLHttpRequest'> >> >> </cfif> > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336299 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm