rhgiant — 2012-05-06T17:07:51-04:00 — #1
I'd like to detect if an AJAX request from a specific website (say I only want to allow "someallowedwebsite.com"). Is it feasible? I guess it's not. If someallowedwebsite were using JSONRequest, would it help?
On a related note: What is the best way to make sure that a given request comes from a website you expect it to come from?
felgall — 2012-05-06T22:27:47-04:00 — #2
Ajax requests are domain specific. A request from a web page on example.com is passed to the example.com site for processing. You can't send ajax requests to sites other than the one the current page belongs to.
The way around that limitation is to have a script on the server call the other site.
oddz — 2012-05-06T23:01:29-04:00 — #3
Nope, not possible. All services exposed through AJAX are fully accessible through HTTP. Anyone can possibly fake the request.