https://ma.tt Unlucky in Cards Sun, 28 Aug 2005 20:38:57 +0000 en-US hourly 1 https://wordpress.org/?v=7.0-alpha-61516 https://i0.wp.com/ma.tt/files/2024/01/cropped-matt-favicon.png?fit=32%2C32&quality=80&ssl=1 https://ma.tt 32 32 1047865 https://ma.tt/2005/08/ajax-and-xss/ https://ma.tt/2005/08/ajax-and-xss/#comments Sun, 28 Aug 2005 20:38:57 +0000 http://photomatt.net/2005/08/28/ajax-and-xss/ Continue reading AJAX and CSRF →]]> When working on some new AJAX features for bbPress and WordPress we’ve noticed that AJAX requests don’t seem to send HTTP_REFERER values. We check referrers as one level of protection against cross-site-scripting, or XSS, so when they’re not set we aren’t able to use that value. How are most people using AJAX protecting against XSS? It seems the same things we’re doing to make things easily accesible in a dynamic fashion are also opening new vectors for attack.

]]> https://ma.tt/2005/08/ajax-and-xss/feed/ 30 2342