{"id":2342,"date":"2005-08-28T12:38:57","date_gmt":"2005-08-28T20:38:57","guid":{"rendered":"http:\/\/photomatt.net\/2005\/08\/28\/ajax-and-xss\/"},"modified":"2005-08-28T12:38:57","modified_gmt":"2005-08-28T20:38:57","slug":"ajax-and-xss","status":"publish","type":"post","link":"https:\/\/ma.tt\/2005\/08\/ajax-and-xss\/","title":{"rendered":"AJAX and CSRF"},"content":{"rendered":"

When working on some new AJAX features for bbPress<\/a> and WordPress<\/a> we’ve noticed that AJAX requests don’t seem to send HTTP_REFERER values. We check referrers as one level of protection against cross-site-scripting, or XSS, so when they’re not set we aren’t able to use that value. How are most people using AJAX protecting against XSS? It seems the same things we’re doing to make things easily accesible in a dynamic fashion are also opening new vectors for attack.<\/p>\n","protected":false},"excerpt":{"rendered":"

When working on some new AJAX features for bbPress and WordPress we’ve noticed that AJAX requests don’t seem to send HTTP_REFERER values. We check referrers as one level of protection against cross-site-scripting, or XSS, so when they’re not set we aren’t able to use that value. How are most people using AJAX protecting against XSS? … Continue reading AJAX and CSRF<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"fullscreen","default_image_id":54207,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false},"categories":[34],"tags":[39,44,43,41],"class_list":["post-2342","post","type-post","status-publish","format-standard","hentry","category-wordpress","tag-ajax","tag-csrf","tag-security","tag-web-development"],"parsely":{"version":"1.1.0","canonical_url":"https:\/\/ma.tt\/2005\/08\/ajax-and-xss\/","smart_links":{"inbound":0,"outbound":0},"traffic_boost_suggestions_count":0,"meta":{"@context":"https:\/\/schema.org","@type":"NewsArticle","headline":"AJAX and CSRF","url":"http:\/\/ma.tt\/2005\/08\/ajax-and-xss\/","mainEntityOfPage":{"@type":"WebPage","@id":"http:\/\/ma.tt\/2005\/08\/ajax-and-xss\/"},"thumbnailUrl":"","image":{"@type":"ImageObject","url":""},"articleSection":"WordPress","author":[{"@type":"Person","name":"Matt"}],"creator":["Matt"],"publisher":{"@type":"Organization","name":"Matt Mullenweg","logo":"http:\/\/ma.tt\/files\/2021\/05\/Photo-on-2020-10-28-at-2.05-PM-1.jpg"},"keywords":["ajax","csrf","security","web development"],"dateCreated":"2005-08-28T20:38:57Z","datePublished":"2005-08-28T20:38:57Z","dateModified":"2005-08-28T20:38:57Z"},"rendered":"