I think Florian meant that its not possible to change HTTP headers by Javascript XSS attacks (or am I wrong here as well?).
Athor attacks that doesn't use a browser as their client can ofcourse manipulate what is_ajax() returns. To the actual proposal: I have the same opinion here as Florian. It's an workaround for an edgecase that isn't defined in a standard. The best way - if you really need it - to have it, is to implement the method your self and inject it to the request object in a middleware. -- Servus, Gregor Müllegger 2010/7/17 David <djfis...@gmail.com>: >> This input field is easily fakeable. An attacker can't fake your >> browsers XHR requests, which makes request.is_ajax somewhat secure and >> trustable. I don't see how your solution could achieve that. > > is_ajax() simply checks an HTTP header. It is easily set by an > attacker. > > On Jul 16, 2:30 pm, Florian Apolloner <f.apollo...@gmail.com> wrote: >> Hi, >> >> On Jul 16, 7:25 pm, David De La Harpe Golden >> >> <david.delaharpe.gol...@ichec.ie> wrote: >> > People doing ajax have probably hit the "XMLHttpRequest doesn't do file >> > uploads (at least not non-browser-specifically), use a hidden iframe >> > kludge or flash" issue. Anyway, maybe that will change one day >> >> It's already changing, modern browsers can do what you want (google >> for html5 file uploads). I don't see any reason to support something >> like you suggest; we should support standards and not workarounds >> (just my opinion). Imo the best way currently is to use the new apis >> and fallback to flash or whatever if needed (I actually guess flash is >> the best fallback here). >> >> > The hidden-iframe requests will AFAIK show up with request.is_ajax() == >> > False to django. So a "done thing" (I think) to distinguish between the >> > non-ajax and hidden-iframe requests seems to be to just have an extra >> > field to act as a pseudo-header, i.e. >> >> > <input type="hidden" name="X-Requested-With" value="ScriptedIFrame"> >> >> This input field is easily fakeable. An attacker can't fake your >> browsers XHR requests, which makes request.is_ajax somewhat secure and >> trustable. I don't see how your solution could achieve that. >> >> > or "?X-Requested-With=ScriptedIFrame" >> >> Same as above. >> >> > It might nonetheless be nice for django to have some support for >> > checking for some particular pseudo-header. >> >> -1, mostly due to the fact that it's something most people won't need >> and you can easily inject that info using a middleware yourself. Hence >> I am for solution A. >> >> Cheers, >> Florian > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-develop...@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
