Asked  7 Months ago    Answers:  5   Viewed   29 times

I use my PHP back-end to detect AJAX requests by checking for a value in $_SERVER['HTTP_X_REQUESTED_WITH'].

This gives me a reliable detection, making sure the request is made utilizing AJAX techniques.

How can I make sure the request came from my own domain, and not an external domain/robot?

www.example.com/ajax?true could allow anyone to make an AJAX call and cut the information.

I could make sessions for everyone that enters my website normally, and then allow AJAX calls.. but that can be faked too.

Does it even matter these days?

 Answers

62

Let you Controller

  • generate access token
  • store in session for later comparison

In your View

  • declare the access token as JS variable
  • send the token with each request

Back in your Controller

  • validate HTTP_X_REQUESTED_WITH
  • validate token

Check these security guidelines from OpenAjax.
Also, read the article on codinghorror.com Annie linked.

Wednesday, March 31, 2021
 
steros
answered 7 Months ago
10

Ok, there is a kind of solution, I do not really like it, but it is something instead of nothing.

The idea is to use more smart "sleep", there is a method waitUntil() which takes an anonymous function and timeout in milliseconds. What is does - runs this passed function in loop until timeout hits or your function return True. So you can run something and wait until context is changed:

$this->waitUntil(function () {
    if ($this->byCssSelector('h1')) {
        return true;
    }
    return null;
}, 5000);

I still will be glad if somebody give better solution.

Wednesday, March 31, 2021
 
EurekA
answered 7 Months ago
55

Now my main concern is, can't the HTTP headers be spoofed? For example, can't an attacker curl a request to the other server, sending the exact HTTP headers that my CORS request does?

You have two misconceptions here.

  1. CORS headers are sent by the server not the client (although sometimes a client will make a pre-flight OPTIONS request)
  2. What the Same Origin Policy is defending against

The Same Origin Policy exists to stop Mallory's (evil) website from getting data from Bob's website by asking Alice's browser to request it when Alice visits Mallory's website.

If that was possible, then Mallory could get any information that was supposed to be a shared secret between Alice and Bob (such as Alice's account balance on Bob's banking website).

can't an attacker curl a request to the other server, sending the exact HTTP headers that my CORS request does?

Since Mallory has no way of knowing what security credentials need to be included in the request (because, for instance, they are stored in Alice's cookies for Bob's website): No.

But CORS doesn't matter here, but the Same Origin Policy isn't implemented by cURL since it isn't a browser running JavaScript supplied by arbitrary websites.

I guess sensitive information should never be shared within a CORS communication

It depends on the nature of the information.

If Alice and whatever websites you authorise in the CORS headers are allowed to see it, then it is fine to send it (although you should probably use SSL): So long as you have authenticated Alice's identity.

If only Alice and you site should see it, then don't put CORS headers on it (and don't provide any other way to bypass the Same Origin Policy, such as JSON-P).

If Alice shouldn't see it, then you should never send it to Alice's browser, CORS or no CORS.

Saturday, May 29, 2021
 
Hilmi
answered 5 Months ago
64

I ended up building my own ringer in the BroadcastReceiver, as zapl suggested (thanks!). Problem was, I couldn't create a dialog that would allow user to dismiss the alarm, however I was able to create a notification that does that, as the class documentation suggested.

Thursday, August 5, 2021
 
MM1
answered 3 Months ago
MM1
99

In the app defining your ContentProvider, did you also define the permission you are requiring/requesting(in your other app)? Like so (within the root <manifest/> tag):

<permission android:name="com.example.permission.READ" />

In general, you need to:

  1. define the permission in one of your apps' manifest files
  2. request the permission in any of your apps' manifest files, for apps that wish to get the permission
  3. require this permission in any component that you wish to guard with this permission, like Activities, Services, or ContentProviders (read, write, both, specific sub-URIs, etc)

Edit: so just to be 100% clear, it is NOT enough to "implicitly" define a permission by requiring it in, say, your ContentProvider. You have to define it explicitly in your app's manifest file (within the <manifest/> tag).

Monday, August 16, 2021
 
Navaneeth K N
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :