You're not being a jerk. Those are all good points. I doubt anyone's going to care to mess with it. Even if they do, the most that will happen is that one site's usability stats get inflated.
andy -----Original Message----- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 12:41 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Which can also be done via CFHTTP as well. ;) Not trying to be a jerk here - but the fact is, there is no (afaik) 100% way to say that a URL is "ajax" only. On Mon, Aug 16, 2010 at 11:51 AM, Andy Matthews <li...@commadelimited.com> wrote: > > Right. I know that. Good point though. > > I suppose I could get our JS guy to also pass in a session id. Then I > could compare that with the actual session ID for the user and go from there. > > -----Original Message----- > From: Raymond Camden [mailto:rcam...@gmail.com] > Sent: Monday, August 16, 2010 11:42 AM > To: cf-talk > Subject: Re: Preventing use of remote method by other sites > > > Sorry - what? Oh - are you asking if I would know to use that vector? > If I run your site and see a request made via XHR to foo.cfm, and then > I try to run it myself in another tab and get blocked, then yes, I > would consider that. And I'm a "Script Kiddy Hacker" so I assume the > real guys would try it too. > > Shoot - I almost always try the URLs I see in Firebug/Chrome Dev > tools. I'm not trying to be malicious of course. Just poking around. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336303 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm