Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

2010-07-19 Thread David De La Harpe Golden 
On 18/07/10 10:03, Florian Apolloner wrote:
> On Jul 17, 11:29 am, Gregor Müllegger  wrote:
>> I think Florian meant that its not possible to change HTTP headers by
>> Javascript XSS attacks (or am I wrong here as well?).
> Exactly.

I think you're thinking of CSRF, javascripted client-side parts of XSS
attacks run in the script context of the page they're injected into
whatever that may be and could AFAIUI toggle the real header, insert the
hidden field, grab cookies and whatnot.

Re CSRF: That's why I wasn't suggesting making is_ajax() return true for
the pseudo-header, as you wouldn't want is_framejax() to trigger bypass
of the csrf countermeasure middleware - in fact you might want
to require it, raising an exception if it's called before
request.csrf_processing_done or something.

Actually, now that csrf_token is more controllably exposed, how does
one _not_ exempt is_ajax() requests from the csrf countermeasure check?
(never mind, rhetorical, "make copypasta csrf middleware that doesn't
bypass" is probably adequate...)

Anyway, probably too specialised to worry about, and a custom middleware
can, as pointed out, handle it if necessary.  Roll on HTML5...

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

2010-07-18 Thread Florian Apolloner 
On Jul 17, 11:29 am, Gregor Müllegger  wrote:
> I think Florian meant that its not possible to change HTTP headers by
> Javascript XSS attacks (or am I wrong here as well?).
Exactly.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

2010-07-17 Thread Gregor Müllegger 
I think Florian meant that its not possible to change HTTP headers by
Javascript XSS attacks (or am I wrong here as well?).

Athor attacks that doesn't use a browser as their client can ofcourse
manipulate what is_ajax() returns.


To the actual proposal: I have the same opinion here as Florian. It's an
workaround for an edgecase that isn't defined in a standard. The best way -
if you really need it - to have it, is to implement the method your self and
inject it to the request object in a middleware.


--
Servus,
Gregor Müllegger

2010/7/17 David :
>> This input field is easily fakeable. An attacker can't fake your
>> browsers XHR requests, which makes request.is_ajax somewhat secure and
>> trustable. I don't see how your solution could achieve that.
>
> is_ajax() simply checks an HTTP header. It is easily set by an
> attacker.
>
> On Jul 16, 2:30 pm, Florian Apolloner  wrote:
>> Hi,
>>
>> On Jul 16, 7:25 pm, David De La Harpe Golden
>>
>>  wrote:
>> > People doing ajax have probably hit the "XMLHttpRequest doesn't do file
>> > uploads (at least not non-browser-specifically), use a hidden iframe
>> > kludge or flash" issue. Anyway, maybe that will change one day
>>
>> It's already changing, modern browsers can do what you want (google
>> for html5 file uploads). I don't see any reason to support something
>> like you suggest; we should support standards and not workarounds
>> (just my opinion). Imo the best way currently is to use the new apis
>> and fallback to flash or whatever if needed (I actually guess flash is
>> the best fallback here).
>>
>> > The hidden-iframe requests will AFAIK show up with request.is_ajax() ==
>> > False to django.  So a "done thing" (I think) to distinguish between the
>> > non-ajax and hidden-iframe requests seems to be to just have an extra
>> > field to act as a pseudo-header, i.e.
>>
>> > 
>>
>> This input field is easily fakeable. An attacker can't fake your
>> browsers XHR requests, which makes request.is_ajax somewhat secure and
>> trustable. I don't see how your solution could achieve that.
>>
>> > or "?X-Requested-With=ScriptedIFrame"
>>
>> Same as above.
>>
>> > It might nonetheless be nice for django to have some support for
>> > checking for some particular pseudo-header.
>>
>> -1, mostly due to the fact that it's something most people won't need
>> and you can easily inject that info using a middleware yourself. Hence
>> I am for solution A.
>>
>> Cheers,
>> Florian
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Django developers" group.
> To post to this group, send email to django-develop...@googlegroups.com.
> To unsubscribe from this group, send email to 
> django-developers+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/django-developers?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

2010-07-16 Thread David 
> This input field is easily fakeable. An attacker can't fake your
> browsers XHR requests, which makes request.is_ajax somewhat secure and
> trustable. I don't see how your solution could achieve that.

is_ajax() simply checks an HTTP header. It is easily set by an
attacker.

On Jul 16, 2:30 pm, Florian Apolloner  wrote:
> Hi,
>
> On Jul 16, 7:25 pm, David De La Harpe Golden
>
>  wrote:
> > People doing ajax have probably hit the "XMLHttpRequest doesn't do file
> > uploads (at least not non-browser-specifically), use a hidden iframe
> > kludge or flash" issue. Anyway, maybe that will change one day
>
> It's already changing, modern browsers can do what you want (google
> for html5 file uploads). I don't see any reason to support something
> like you suggest; we should support standards and not workarounds
> (just my opinion). Imo the best way currently is to use the new apis
> and fallback to flash or whatever if needed (I actually guess flash is
> the best fallback here).
>
> > The hidden-iframe requests will AFAIK show up with request.is_ajax() ==
> > False to django.  So a "done thing" (I think) to distinguish between the
> > non-ajax and hidden-iframe requests seems to be to just have an extra
> > field to act as a pseudo-header, i.e.
>
> > 
>
> This input field is easily fakeable. An attacker can't fake your
> browsers XHR requests, which makes request.is_ajax somewhat secure and
> trustable. I don't see how your solution could achieve that.
>
> > or "?X-Requested-With=ScriptedIFrame"
>
> Same as above.
>
> > It might nonetheless be nice for django to have some support for
> > checking for some particular pseudo-header.
>
> -1, mostly due to the fact that it's something most people won't need
> and you can easily inject that info using a middleware yourself. Hence
> I am for solution A.
>
> Cheers,
> Florian

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?

2010-07-16 Thread Florian Apolloner 
Hi,

On Jul 16, 7:25 pm, David De La Harpe Golden
 wrote:
> People doing ajax have probably hit the "XMLHttpRequest doesn't do file
> uploads (at least not non-browser-specifically), use a hidden iframe
> kludge or flash" issue. Anyway, maybe that will change one day

It's already changing, modern browsers can do what you want (google
for html5 file uploads). I don't see any reason to support something
like you suggest; we should support standards and not workarounds
(just my opinion). Imo the best way currently is to use the new apis
and fallback to flash or whatever if needed (I actually guess flash is
the best fallback here).

> The hidden-iframe requests will AFAIK show up with request.is_ajax() ==
> False to django.  So a "done thing" (I think) to distinguish between the
> non-ajax and hidden-iframe requests seems to be to just have an extra
> field to act as a pseudo-header, i.e.
>
> 

This input field is easily fakeable. An attacker can't fake your
browsers XHR requests, which makes request.is_ajax somewhat secure and
trustable. I don't see how your solution could achieve that.

> or "?X-Requested-With=ScriptedIFrame"

Same as above.

> It might nonetheless be nice for django to have some support for
> checking for some particular pseudo-header.

-1, mostly due to the fact that it's something most people won't need
and you can easily inject that info using a middleware yourself. Hence
I am for solution A.

Cheers,
Florian

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.