Ajax in rails is a security violation


#1

Does anybody have any issues with the AJAX code inside rails? Whenever
i
use any sites i have built, or even external sites (such as basecamphq)
my
internal security device blocks access to the Ajax piece with a 400 Bad
Request ( i scoured the net for other ajax examples and no isses
anywhere
else). I think there is something in the AJAX code of rails that is not
implemented correctly. Has anybody else come across this ?

thanks
adam


#2

Adam D. wrote:

Does anybody have any issues with the AJAX code inside rails? Whenever
i use any sites i have built, or even external sites (such as
basecamphq) my internal security device blocks access to the Ajax piece
with a 400 Bad Request ( i scoured the net for other ajax examples and
no isses anywhere else). I think there is something in the AJAX code of
rails that is not implemented correctly. Has anybody else come across
this ?

Nope… What is this internal security device of which you speak?


#3

On 1/4/06, Adam D. removed_email_address@domain.invalid wrote:

Does anybody have any issues with the AJAX code inside rails? Whenever i
use any sites i have built, or even external sites (such as basecamphq) my
internal security device blocks access to the Ajax piece with a 400 Bad
Request ( i scoured the net for other ajax examples and no isses anywhere
else). I think there is something in the AJAX code of rails that is not
implemented correctly. Has anybody else come across this ?

thanks
adam

Perhaps you could explain what the criteria your ‘internal security
device’ uses to determine if a request is a bad one. AJAX requests
are the same as HTTP requests for the most part. The only thing I can
think of off hand are the custom header that prototype adds. But, I
believe it’s a perfectly valid header extension.


rick
http://techno-weenie.net


#4

why does prototype add custom headers? Is there a way to test it
without those headers?

the device is a spyware/malware proxy by a company called Finjan. It
seems to only block requests for Rails XMLHttp requests, and i am
trying to figure out why. the unique header is definitely one of the
possibilities, is there an easy way to disable this ?

thanks
adam


#5

On 1/4/06, Adam D. removed_email_address@domain.invalid wrote:

why does prototype add custom headers? Is there a way to test it
without those headers?

the device is a spyware/malware proxy by a company called Finjan. It
seems to only block requests for Rails XMLHttp requests, and i am
trying to figure out why. the unique header is definitely one of the
possibilities, is there an easy way to disable this ?

Look at Ajax.Request.setRequestHeaders(), in prototype.js. It sends
info on the version of prototype that’s being used. One major use is
the fact that I can detect prototype requests in controllers and treat
them differently than normal requests.

Easy way to disable it? Not for other websites unfortunately.


rick
http://techno-weenie.net


#6

On 1/4/06, Adam D. removed_email_address@domain.invalid wrote:

why does prototype add custom headers? Is there a way to test it
without those headers?

the device is a spyware/malware proxy by a company called Finjan. It
seems to only block requests for Rails XMLHttp requests, and i am
trying to figure out why. the unique header is definitely one of the
possibilities, is there an easy way to disable this ?

Sounds like Finjan is broken.


#7

well i would agree that the device is broken, but every other example of
an
AJAX example works fine with XMLHttp request, only rails AJAX samples
are
broken, which is why i tried to figure out the difference. At this point
it
seems to be the custom headers that may be throwing it off.

thanks
adam