Restrict Lasso AJAX-file calls to the intended web page
Mon, Jan 07 2013, 09:21 AJAX, Javascript, jQuery, Lasso, programming, Webserver PermalinkSuppose you have a nice setup where a page interacts with the server via AJAX-calls and executes a Lasso file on the server to get some data. You don't want this file to be called directly via the URL-bar in a web browser, or via other self-made web pages by others who try to access it via a copy of your page. Anybody can see which AJAX-files your page is calling, so for some it is always a challenge to execute them outside the normal webpage to see what data will come up. Might be of interest! So you want to prevent that, somehow.
There is a Lasso-tag called referrer_url, which returns a string containing the URL that requested your AJAX-page. If you look into this string for a domain name or a path that only you have, you can block execution if the requestor is not coming from your server. When a page is called directly in the browser, the referrer_url is always an empty string. Which is logical, since the page was not referred to by another page.
Suppose I have a page mypage.html with a jQuery auto-complete implementation in it. This auto-complete can of course be used by more than one page and you do not want people to try it out in other ways.
...
...
<input type="text" id="inp1" size="25"><span id="desc1"></span>
...
...
<script>
$(document).ready(function() {
$("#inp1").autocomplete({minLength:2, source: "ajax.lasso?p1=a&p2=b", select: function(e,u) { $("#inp1").val(u.item.value); $("#desc1").html((u.item.label).replace("(" + u.item.value + ")", "")); return false; } });
});
</script>
Simple protection:
[
if (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html');
...
...
/if;
]
Better protection:
[
if (string(referrer_url)->beginswith('http://my.domain.com/') &&
(referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html'));
...
...
/if;
]
So this gives you some protection from just try something-users. Add a login-system, which restricts the number of users that might want to hack your pages - you can trace their actions on your site. In that case, add a check if the user is logged in. You must execute your complete login-sequence in your AJAX-pages too, as with 'normal' pages, since the xhttprequest is a normal HTTP request and thus the browser sends the same HTTP-headers and cookies, etc.. to your AJAX-page.
More protection:
[
if (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html');
var('loggedIn = false');
include('checkuser.lasso');
if($loggedIn);
...
...
/if;
/if;
]
Even better protection:
[
if (string(referrer_url)->beginswith('http://my.domain.com/') &&
(referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html'));
var('loggedIn = false');
include('checkuser.lasso');
if($loggedIn);
...
...
/if;
/if;
]
But, as with everything web-related, nothing can be trusted.
There is a Lasso-tag called referrer_url, which returns a string containing the URL that requested your AJAX-page. If you look into this string for a domain name or a path that only you have, you can block execution if the requestor is not coming from your server. When a page is called directly in the browser, the referrer_url is always an empty string. Which is logical, since the page was not referred to by another page.
Suppose I have a page mypage.html with a jQuery auto-complete implementation in it. This auto-complete can of course be used by more than one page and you do not want people to try it out in other ways.
...
...
<input type="text" id="inp1" size="25"><span id="desc1"></span>
...
...
<script>
$(document).ready(function() {
$("#inp1").autocomplete({minLength:2, source: "ajax.lasso?p1=a&p2=b", select: function(e,u) { $("#inp1").val(u.item.value); $("#desc1").html((u.item.label).replace("(" + u.item.value + ")", "")); return false; } });
});
</script>
Simple protection:
[
if (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html');
...
...
/if;
]
Better protection:
[
if (string(referrer_url)->beginswith('http://my.domain.com/') &&
(referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html'));
...
...
/if;
]
So this gives you some protection from just try something-users. Add a login-system, which restricts the number of users that might want to hack your pages - you can trace their actions on your site. In that case, add a check if the user is logged in. You must execute your complete login-sequence in your AJAX-pages too, as with 'normal' pages, since the xhttprequest is a normal HTTP request and thus the browser sends the same HTTP-headers and cookies, etc.. to your AJAX-page.
More protection:
[
if (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html');
var('loggedIn = false');
include('checkuser.lasso');
if($loggedIn);
...
...
/if;
/if;
]
Even better protection:
[
if (string(referrer_url)->beginswith('http://my.domain.com/') &&
(referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html'));
var('loggedIn = false');
include('checkuser.lasso');
if($loggedIn);
...
...
/if;
/if;
]
But, as with everything web-related, nothing can be trusted.
Comments