dcsimg
www.webdeveloper.com
Results 1 to 3 of 3

Thread: How to ensure javascript calls aren't spoofed?

Hybrid View

  1. #1
    Join Date
    Feb 2008
    Posts
    3

    How to ensure javascript calls aren't spoofed?

    Hi,

    Given a website (SiteA) where some JavaScript are making Ajax calls to a server. I want to make sure that all Ajax calls are originating from SiteA only. Http-referer can be spoofed so I turn to the JavaScript community. I'm thinking that the JavaScript can send its location. But are there some readonly identifiers that can be used to accomplish this?

    It seems that Google does this somehow (e.g. in Maps) but couldn't find any good pointers on how they do it.

    All suggestions are welcome, I'm a complete novice when it comes to Javascript.

    --
    Werner

  2. #2
    Join Date
    Jul 2008
    Location
    urbana, il
    Posts
    2,787
    you can pass a unique token to the client on the html part, and check for the token for a match on ajax requests.
    i would pass the token to the page in a <script> block as a var (instead of a hidden input) to prevent backenders from being able to easily scrape the token.

  3. #3
    Join Date
    Feb 2008
    Posts
    3
    Quote Originally Posted by rnd me View Post
    you can pass a unique token to the client on the html part, and check for the token for a match on ajax requests.
    i would pass the token to the page in a <script> block as a var (instead of a hidden input) to prevent backenders from being able to easily scrape the token.
    I don't quite follow here, what good would that do? I could just take that token to another website?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles