Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?
On 18/07/10 10:03, Florian Apolloner wrote: > On Jul 17, 11:29 am, Gregor Mülleggerwrote: >> I think Florian meant that its not possible to change HTTP headers by >> Javascript XSS attacks (or am I wrong here as well?). > Exactly. I think you're thinking of CSRF, javascripted client-side parts of XSS attacks run in the script context of the page they're injected into whatever that may be and could AFAIUI toggle the real header, insert the hidden field, grab cookies and whatnot. Re CSRF: That's why I wasn't suggesting making is_ajax() return true for the pseudo-header, as you wouldn't want is_framejax() to trigger bypass of the csrf countermeasure middleware - in fact you might want to require it, raising an exception if it's called before request.csrf_processing_done or something. Actually, now that csrf_token is more controllably exposed, how does one _not_ exempt is_ajax() requests from the csrf countermeasure check? (never mind, rhetorical, "make copypasta csrf middleware that doesn't bypass" is probably adequate...) Anyway, probably too specialised to worry about, and a custom middleware can, as pointed out, handle it if necessary. Roll on HTML5... -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?
On Jul 17, 11:29 am, Gregor Mülleggerwrote: > I think Florian meant that its not possible to change HTTP headers by > Javascript XSS attacks (or am I wrong here as well?). Exactly. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?
I think Florian meant that its not possible to change HTTP headers by Javascript XSS attacks (or am I wrong here as well?). Athor attacks that doesn't use a browser as their client can ofcourse manipulate what is_ajax() returns. To the actual proposal: I have the same opinion here as Florian. It's an workaround for an edgecase that isn't defined in a standard. The best way - if you really need it - to have it, is to implement the method your self and inject it to the request object in a middleware. -- Servus, Gregor Müllegger 2010/7/17 David: >> This input field is easily fakeable. An attacker can't fake your >> browsers XHR requests, which makes request.is_ajax somewhat secure and >> trustable. I don't see how your solution could achieve that. > > is_ajax() simply checks an HTTP header. It is easily set by an > attacker. > > On Jul 16, 2:30 pm, Florian Apolloner wrote: >> Hi, >> >> On Jul 16, 7:25 pm, David De La Harpe Golden >> >> wrote: >> > People doing ajax have probably hit the "XMLHttpRequest doesn't do file >> > uploads (at least not non-browser-specifically), use a hidden iframe >> > kludge or flash" issue. Anyway, maybe that will change one day >> >> It's already changing, modern browsers can do what you want (google >> for html5 file uploads). I don't see any reason to support something >> like you suggest; we should support standards and not workarounds >> (just my opinion). Imo the best way currently is to use the new apis >> and fallback to flash or whatever if needed (I actually guess flash is >> the best fallback here). >> >> > The hidden-iframe requests will AFAIK show up with request.is_ajax() == >> > False to django. So a "done thing" (I think) to distinguish between the >> > non-ajax and hidden-iframe requests seems to be to just have an extra >> > field to act as a pseudo-header, i.e. >> >> > >> >> This input field is easily fakeable. An attacker can't fake your >> browsers XHR requests, which makes request.is_ajax somewhat secure and >> trustable. I don't see how your solution could achieve that. >> >> > or "?X-Requested-With=ScriptedIFrame" >> >> Same as above. >> >> > It might nonetheless be nice for django to have some support for >> > checking for some particular pseudo-header. >> >> -1, mostly due to the fact that it's something most people won't need >> and you can easily inject that info using a middleware yourself. Hence >> I am for solution A. >> >> Cheers, >> Florian > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-develop...@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?
> This input field is easily fakeable. An attacker can't fake your > browsers XHR requests, which makes request.is_ajax somewhat secure and > trustable. I don't see how your solution could achieve that. is_ajax() simply checks an HTTP header. It is easily set by an attacker. On Jul 16, 2:30 pm, Florian Apollonerwrote: > Hi, > > On Jul 16, 7:25 pm, David De La Harpe Golden > > wrote: > > People doing ajax have probably hit the "XMLHttpRequest doesn't do file > > uploads (at least not non-browser-specifically), use a hidden iframe > > kludge or flash" issue. Anyway, maybe that will change one day > > It's already changing, modern browsers can do what you want (google > for html5 file uploads). I don't see any reason to support something > like you suggest; we should support standards and not workarounds > (just my opinion). Imo the best way currently is to use the new apis > and fallback to flash or whatever if needed (I actually guess flash is > the best fallback here). > > > The hidden-iframe requests will AFAIK show up with request.is_ajax() == > > False to django. So a "done thing" (I think) to distinguish between the > > non-ajax and hidden-iframe requests seems to be to just have an extra > > field to act as a pseudo-header, i.e. > > > > > This input field is easily fakeable. An attacker can't fake your > browsers XHR requests, which makes request.is_ajax somewhat secure and > trustable. I don't see how your solution could achieve that. > > > or "?X-Requested-With=ScriptedIFrame" > > Same as above. > > > It might nonetheless be nice for django to have some support for > > checking for some particular pseudo-header. > > -1, mostly due to the fact that it's something most people won't need > and you can easily inject that info using a middleware yourself. Hence > I am for solution A. > > Cheers, > Florian -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: request.is_ajax() and hidden iframe kludge => request.is_framejax()?
Hi, On Jul 16, 7:25 pm, David De La Harpe Goldenwrote: > People doing ajax have probably hit the "XMLHttpRequest doesn't do file > uploads (at least not non-browser-specifically), use a hidden iframe > kludge or flash" issue. Anyway, maybe that will change one day It's already changing, modern browsers can do what you want (google for html5 file uploads). I don't see any reason to support something like you suggest; we should support standards and not workarounds (just my opinion). Imo the best way currently is to use the new apis and fallback to flash or whatever if needed (I actually guess flash is the best fallback here). > The hidden-iframe requests will AFAIK show up with request.is_ajax() == > False to django. So a "done thing" (I think) to distinguish between the > non-ajax and hidden-iframe requests seems to be to just have an extra > field to act as a pseudo-header, i.e. > > This input field is easily fakeable. An attacker can't fake your browsers XHR requests, which makes request.is_ajax somewhat secure and trustable. I don't see how your solution could achieve that. > or "?X-Requested-With=ScriptedIFrame" Same as above. > It might nonetheless be nice for django to have some support for > checking for some particular pseudo-header. -1, mostly due to the fact that it's something most people won't need and you can easily inject that info using a middleware yourself. Hence I am for solution A. Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.